Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
manage-public-web-access | Manage Public Web Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/manage-public-web-access.md | For Search admins and Global admins: 1. In the Microsoft 365 admin center, go to **Settings** > **Search & intelligence**. -2. On the **Configurations** page, select **Public web content in Microsoft Copilot for Microsoft 365**. +2. On the **Configurations** page, select **Improved responses with web content in Copilot for Microsoft 365**. 3. Select Change. -4. Unselect the checkbox for Allow Copilot to reference web content. +4. Unselect the checkbox for **Allow Copilot to reference public web content**. 5. Select Save. For Search admins and Global admins: For Global admins only: 1. In the admin center, go to **Settings** > **Org settings**.-2. On the Copilot page, select **Public Web Content in Microsoft Copilot for Microsoft 365**. +2. On the Copilot page, select **Improved responses with web content in Copilot for Microsoft 365**. 3. Select **Change**. 4. Unselect the checkbox for **Allow Copilot to reference web content**. 5. Select **Save**. |
microsoft-365-copilot-enable-users | Microsoft 365 Copilot Enable Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-enable-users.md | You can also manage licenses from the Copilot page in the Microsoft 365 admin ce Once you've assigned licenses, the Copilot experience will automatically appear for users in Microsoft 365 Apps. In some experiences, like Word, a Copilot dialog will appear when creating a new document. In other experiences, Copilot is quickly accessible on the Ribbon. ++>[!NOTE] +>For Education customers, the Copilot license is listed under **Microsoft 365 A3 Extra Features for faculty** or **Microsoft 365 A5 Extra Features for faculty**. + ## Send welcome email After licensing your users for Microsoft Copilot for Microsoft 365, we recommend sending them a welcome email to introduce them to Microsoft Copilot for Microsoft 365 and help them understand what it can do for them. The easiest way to do this is to use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide), which includes an option for sending a welcome email to your Copilot users. HereΓÇÖs an example of this email: |
microsoft-365-copilot-setup | Microsoft 365 Copilot Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md | To get started with the implementation process, see [Deployment guide for Micros >[!IMPORTANT] > Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. >-> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). +> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). ## Manage licenses for Copilot |
commerce | Allowselfservicepurchase Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md | The following table lists the available products and their **ProductId**. It als | Windows 365 Business with Windows Hybrid Benefit | CFQ7TTC0HX99 | No | | Microsoft 365 F3 | CFQ7TTC0LH05 | No | | Microsoft Purview Discovery | CFQ7TTC0N8SL | Yes |-| Dynamics 365 Marketing | CFQ7TTC0LH3N | No | -| Dynamics 365 Marketing Attach | CFQ7TTC0LHWP | No | -| Dynamics 365 Marketing Additional Application | CFQ7TTC0LHVK | No | -| Dynamics 365 Marketing Additional Non-Prod Application | CFQ7TTC0LHWM | No | *These IDs have changed. If you previously blocked products using the old IDs, they're automatically blocked using the new IDs. No other work is required. |
enterprise | Assign Licenses To User Accounts With Microsoft 365 Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell.md | Title: Assign Microsoft 365 licenses to user accounts with PowerShell Previously updated : 10/16/2023 Last updated : 02/01/2024 audience: Admin ms.localizationpriority: medium - scotvorg - Ent_O365+- must-keep f1.keywords: - CSH + - azure-ad-ref-level-one-done ms.assetid: ba235f4f-e640-4360-81ea-04507a3a70be search.appverid: - MET150 description: In this article, learn how to use PowerShell to assign a Microsoft *This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* -Users can't use any Microsoft 365 services until their account has been assigned a license from a licensing plan. You can use PowerShell to quickly assign licenses to unlicensed accounts. +Users can't use any Microsoft 365 services until their account has been assigned a license from a licensing plan. You can use PowerShell to quickly assign licenses to unlicensed accounts. -User accounts must first be assigned a location. Specifying a location is a required part of creating a new user account in the [Microsoft 365 admin center](../admin/add-users/add-users.md). +User accounts must first be assigned a location. Specifying a location is a required part of creating a new user account in the [Microsoft 365 admin center](../admin/add-users/add-users.md). Accounts synchronized from your on-premises Active Directory Domain Services don't by default have a location specified. You can configure a location for these accounts from: Accounts synchronized from your on-premises Active Directory Domain Services don >[Learn how to assign licenses to user accounts](../admin/manage/assign-licenses-to-users.md) with the Microsoft 365 admin center. For a list of additional resources, see [Manage users and groups](/admin). > -## Use the Microsoft Graph PowerShell SDK +## Assign Microsoft 365 licenses to user accounts with the Microsoft Graph PowerShell SDK ++> [!NOTE] +> The following script uses Microsoft Graph Powershell. For more information, see [Microsoft Graph PowerShell overview](/powershell/microsoftgraph/overview). +> +> For information about how to use different methods to authenticate ```Connect-Graph``` in an unattended script, see the article [Authentication module cmdlets in Microsoft Graph PowerShell](/powershell/microsoftgraph/authentication-commands). First, [connect to your Microsoft 365 tenant](/graph/powershell/get-started#authentication). You can verify the change in subscription for the user account with this command Get-MgUserLicenseDetail -UserId "belindan@litwareinc.com" ``` -## Use the Azure Active Directory PowerShell for Graph module -->[!Note] ->The Set-AzureADUserLicense cmdlet is scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366). -> --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). - --Next, list the license plans for your tenant with this command. --```powershell -Get-AzureADSubscribedSku | Select SkuPartNumber -``` --Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN). --Next, ensure that the user account has a usage location assigned. --```powershell -Get-AzureADUser -ObjectID <user sign-in name (UPN)> | Select DisplayName, UsageLocation -``` --If there's no usage location assigned, you can assign one with these commands: --```powershell -$userUPN="<user sign-in name (UPN)>" -$userLoc="<ISO 3166-1 alpha-2 country code>" -Set-AzureADUser -ObjectID $userUPN -UsageLocation $userLoc -``` --Finally, specify the user sign-in name and license plan name and run these commands. --```powershell -$userUPN="<user sign-in name (UPN)>" -$planName="<license plan name from the list of license plans>" -$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense -$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $planName -EQ).SkuID -$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$LicensesToAssign.AddLicenses = $License -Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $LicensesToAssign -``` --## Use the Microsoft Azure Active Directory module for Windows PowerShell -->[!Note] ->The Set-MsolUserLicense and New-MsolUser (-LicenseAssignment) cmdlets are scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366). -> --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). --Run the `Get-MsolAccountSku` command to view the available licensing plans and the number of available licenses in each plan in your organization. The number of available licenses in each plan is **ActiveUnits** - **WarningUnits** - **ConsumedUnits**. For more information about licensing plans, licenses, and services, see [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md). -->[!Note] ->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell. -> --To find the unlicensed accounts in your organization, run this command. --```powershell -Get-MsolUser -All -UnlicensedUsersOnly -``` --You can only assign licenses to user accounts that have the **UsageLocation** property set to a valid ISO 3166-1 alpha-2 country code. For example, US for the United States, and FR for France. Some Microsoft 365 services aren't available in certain countries. For more information, see [About license restrictions](https://go.microsoft.com/fwlink/p/?LinkId=691730). - -To find accounts that don't have a **UsageLocation** value, run this command. --```powershell -Get-MsolUser -All | where {$_.UsageLocation -eq $null} -``` --To set the **UsageLocation** value on an account, run this command. --```powershell -Set-MsolUser -UserPrincipalName "<Account>" -UsageLocation <CountryCode> -``` --For example: --```powershell -Set-MsolUser -UserPrincipalName "belindan@litwareinc.com" -UsageLocation US -``` - -If you use the **Get-MsolUser** cmdlet without using the **-All** parameter, only the first 500 accounts are returned. --### Assigning licenses to user accounts - -To assign a license to a user, use the following command in PowerShell. - -```powershell -Set-MsolUserLicense -UserPrincipalName "<Account>" -AddLicenses "<AccountSkuId>" -``` --This example assigns a license from the **litwareinc:ENTERPRISEPACK** (Office 365 Enterprise E3) licensing plan to the unlicensed user **belindan\@litwareinc.com**: - -```powershell -Set-MsolUserLicense -UserPrincipalName "belindan@litwareinc.com" -AddLicenses "litwareinc:ENTERPRISEPACK" -``` --To assign a license to all unlicensed users, run this command. - -```powershell -Get-MsolUser -All -UnlicensedUsersOnly [<FilterableAttributes>] | Set-MsolUserLicense -AddLicenses "<AccountSkuId>" -``` - ->[!Note] ->You can't assign multiple licenses to a user from the same licensing plan. If you don't have enough available licenses, the licenses are assigned to users in the order that they're returned by the **Get-MsolUser** cmdlet until the available licenses run out. -> --This example assigns licenses from the **litwareinc:ENTERPRISEPACK** (Office 365 Enterprise E3) licensing plan to all unlicensed users: - -```powershell -Get-MsolUser -All -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses "litwareinc:ENTERPRISEPACK" -``` --This example assigns those same licenses to unlicensed users in the Sales department in the United States: - -```powershell -Get-MsolUser -All -Department "Sales" -UsageLocation "US" -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses "litwareinc:ENTERPRISEPACK" -``` - -## Move a user to a different subscription (license plan) with the Azure Active Directory PowerShell for Graph module --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). - -Next, get the sign-in name of the user account for which you want switch subscriptions, also known as the user principal name (UPN). --Next, list the subscriptions (license plans) for your tenant with this command. --```powershell -Get-AzureADSubscribedSku | Select SkuPartNumber -``` --Next, list the subscriptions that the user account currently has with these commands. --```powershell -$userUPN="<user account UPN>" -$licensePlanList = Get-AzureADSubscribedSku -$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID -$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } } -``` --Identify the subscription the user currently has (the FROM subscription) and the subscription to which the user is moving (the TO subscription). --Finally, specify the TO and FROM subscription names (SKU part numbers) and run these commands. --```powershell -$subscriptionFrom="<SKU part number of the current subscription>" -$subscriptionTo="<SKU part number of the new subscription>" -# Unassign -$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense -$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$licenses.RemoveLicenses = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $subscriptionFrom -EQ).SkuID -Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses -# Assign -$license.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $subscriptionTo -EQ).SkuID -$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$licenses.AddLicenses = $License -Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses -``` --You can verify the change in subscription for the user account with these commands. --```powershell -$licensePlanList = Get-AzureADSubscribedSku -$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID -$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } } -``` - ## See also -[Manage user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md) - [Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)- -[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md) ++[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md) ++[Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started) Use the Microsoft Graph [user: assignLicense](/graph/api/user-assignlicense) and [subscribedSku](/graph/api/resources/subscribedsku) APIs |
enterprise | Connect To Microsoft 365 Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-microsoft-365-powershell.md | Title: "Connect to Microsoft 365 with PowerShell" + Title: "Connect to Microsoft 365 with Microsoft Graph PowerShell" Previously updated : 06/30/2023 Last updated : 02/01/2024 audience: ITPro ms.localizationpriority: high - scotvorg - Ent_O365+- must-keep f1.keywords: - CSH + - azure-ad-ref-level-one-done ms.assetid: 5ebc0e21-b72d-46d8-96fa-00643b18eaec-description: "Connect to your Microsoft 365 tenant by using PowerShell for Microsoft 365 to do admin center tasks from the command line." +description: "Connect to your Microsoft 365 tenant by using Microsoft Graph PowerShell to do admin center tasks from the command line." -# Connect to Microsoft 365 with PowerShell +# Connect to Microsoft 365 with Microsoft Graph PowerShell *This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* -PowerShell for Microsoft 365 enables you to manage your Microsoft 365 settings from the command line. To connect to PowerShell, just install the required software and then connect to your Microsoft 365 organization. +Microsoft Graph PowerShell enables you to manage your Microsoft 365 settings from the command line. This article shows you how to install the required software and then connect to your Microsoft 365 organization using the Microsoft Graph PowerShell SDK. -There are two versions of the PowerShell module that you can use to connect to Microsoft 365 and administer user accounts, groups, and licenses: +Currently, the Azure Active Directory PowerShell for Graph module doesn't completely replace the functionality of the Microsoft Azure Active Directory module for Windows PowerShell for application proxy management, user, and contact administration. In some cases, you need to use both versions. You can safely install both versions on the same computer. -- Azure Active Directory PowerShell for Graph, whose cmdlets include *AzureAD* in their name-- Microsoft Azure Active Directory module for Windows PowerShell, whose cmdlets include *Msol* in their name+<a name='connect-with-the-azure-active-directory-powershell-for-graph-module'></a> -Currently, the Azure Active Directory PowerShell for Graph module doesn't completely replace the functionality of the Microsoft Azure Active Directory module for Windows PowerShell module for user, group, and license administration. In some cases, you need to use both versions. You can safely install both versions on the same computer. +## What do you need to know before you begin? ->[!Note] ->You can also connect with the [Azure Cloud Shell](#connect-with-the-azure-cloud-shell) from the Microsoft 365 admin center. +> [!NOTE] +> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). >+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively. +#### Prerequisites -## What do you need to know before you begin? +PowerShell 7 and later is the recommended PowerShell version for use with the Microsoft Graph PowerShell SDK on all platforms. There are no other prerequisites to use the SDK with PowerShell 7 or later. ->[!NOTE] -> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). +The following prerequisites are required to use the Microsoft Graph PowerShell SDK with Windows PowerShell. -**Operating system** +- Upgrade to PowerShell 5.1 or later +- Install .NET Framework 4.7.2 or later +- Update PowerShellGet to the latest version using Install-Module PowerShellGet -You must use a 64-bit version of Windows. Support for the 32-bit version of the Microsoft Azure Active Directory module for Windows PowerShell ended in 2014. +The PowerShell script execution policy must be set to remote signed or less restrictive. Use Get-ExecutionPolicy to determine the current execution policy. For more information, see about_Execution_Policies. To set the execution policy, run: ++```powershell +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser +``` -You can use the following versions of Windows: - - - Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1) - - - Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1 +##### Operating system ->[!Note] ->For Windows 8.1, Windows 8, Windows 7 Service Pack 1 (SP1), Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 SP1, download and install the [Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616). +You must use a 64-bit version of Windows. You can use the following versions of Windows: -**PowerShell** +- Windows 11, Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1) -- For the Azure Active Directory PowerShell for Graph module, you must use PowerShell version 5.1.+- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1 -- For the Microsoft Azure Active Directory module for Windows PowerShell module, you must use PowerShell version 5.1 or later, up to PowerShell version 6. You can't use PowerShell version 7.- ->[!Note] ->These procedures are intended for users who are members of a Microsoft 365 admin role. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md). +> [!NOTE] +> For Windows 8.1, Windows 8, Windows 7 Service Pack 1 (SP1), Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 SP1, download and install the [Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616). +To use Microsoft Graph PowerShell, you must use at least PowerShell version **5.1**. -## Connect with the Azure Active Directory PowerShell for Graph module +> [!NOTE] +> These procedures are intended for users who are members of a Microsoft 365 admin role. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md). -Commands in the Azure Active Directory PowerShell for Graph module have *AzureAD* in their cmdlet name. You can install the [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2) module or [Azure PowerShell](/powershell/azure/install-az-ps). +<a name='connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell'></a> -For procedures that require the new cmdlets in the Azure Active Directory PowerShell for Graph module, follow these steps to install the module and connect to your Microsoft 365 subscription. +## Connect with Microsoft Graph PowerShell -> [!Note] -> For information about support for different versions of Windows, see [Azure Active Directory PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) . +In this section, you'll learn how to connect to your Microsoft 365 organization using the Microsoft Graph PowerShell SDK. You can visit [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) for more guidance. ### Step 1: Install the required software -These steps are required only one time on your computer. But you'll likely need to update the software periodically. - -1. Open a Windows PowerShell Command Prompt window. - -2. Run this command: - - ```powershell - Install-Module -Name AzureAD - ``` +The Microsoft Graph PowerShell SDK is published in the [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.Graph). - By default, the PowerShell Gallery (PSGallery) isn't configured as a trusted repository for **PowerShellGet**. The first time you use the PSGallery, you'll see the following message: +These steps are required only one time on your computer. However, you'll likely need to update the software periodically. -```console -Untrusted repository +#### Install the Microsoft Graph PowerShell SDK and beta module -You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the `Set-PSRepository` cmdlet. +The Microsoft Graph PowerShell SDK comes in two modules, Microsoft.Graph and Microsoft.Graph.Beta, that you'll install separately. These modules call the Microsoft Graph v1.0 and Microsoft Graph beta endpoints, respectively. You can install the two modules on the same PowerShell version. -Are you sure you want to install the modules from 'PSGallery'? -[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): -``` +1. Open a Windows PowerShell Command Prompt window. Depending on the permissions of your logged-in account, you may need to open the PowerShell window in Administrator mode. -Answer **Yes** or **Yes to All** to continue with the installation. +2. To install the v1 module of the SDK in PowerShell Core or Windows PowerShell, run the following command: -3. Run this command to import the module: - ```powershell- Import-Module AzureAD + Install-Module Microsoft.Graph -Scope CurrentUser ```- -<a name='step-2-connect-to-azure-ad-for-your-microsoft-365-subscription'></a> --### Step 2: Connect to Microsoft Entra ID for your Microsoft 365 subscription --To connect to Microsoft Entra ID for your Microsoft 365 subscription with an account name and password or with multi-factor authentication, run one of these commands from a Windows PowerShell command prompt. (It doesn't have to be elevated.) --| Office 365 cloud | Command | -|:-|:--| -| Office 365 Worldwide (+GCC) | `Connect-AzureAD` | -| Office 365 operated by 21 Vianet | `Connect-AzureAD -AzureEnvironmentName AzureChinaCloud` | -| Office 365 Germany | `Connect-AzureAD -AzureEnvironmentName AzureGermanyCloud` | -| Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High | `Connect-AzureAD -AzureEnvironmentName AzureUSGovernment` | -||| --In the **Sign into your account** dialog box, type your Microsoft 365 work or school account user name and password, and then select **OK**. --If you're using multi-factor authentication, follow the instructions to provide additional authentication information, such as a verification code. -After you connect, you can use the cmdlets for the [Azure Active Directory PowerShell for Graph module](/powershell/module/azuread). +3. Run this command to install the beta module: -## Connect with the Microsoft Azure Active Directory module for Windows PowerShell -->[!Note] ->Cmdlets in the Microsoft Azure Active Directory module for Windows PowerShell have *Msol* in their name. + ```powershell + Install-Module Microsoft.Graph.Beta + ``` -PowerShell version 7 and later don't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. For PowerShell version 7 and later, you must use the Microsoft Graph PowerShell SDK. +After the installation is completed, you can verify the installed version with the following command: -PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. Run these cmdlets from Windows PowerShell. - -### Step 1: Install the required software +```azurepowershell +Get-InstalledModule Microsoft.Graph +``` -These steps are required only one time on your computer. But you'll likely need to update the software periodically. - -1. If you're not running Windows 10, install the 32-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi). - -2. Follow these steps to install and import the Microsoft Azure Active Directory module for Windows PowerShell: - - 1. Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator). - 1. Run the **Install-Module MSOnline** command. - 1. If you're prompted to install the NuGet provider, type **Y** and press Enter. - 1. If you're prompted to install the module from PSGallery, type **Y** and press Enter. - 1. Run the **Import-Module MSOnline** command to import the module. - <a name='step-2-connect-to-azure-ad-for-your-microsoft-365-subscription'></a> -### Step 2: Connect to Microsoft Entra ID for your Microsoft 365 subscription --To connect to Microsoft Entra ID for your Microsoft 365 subscription with an account name and password or with multi-factor authentication, run one of these commands from a Windows PowerShell command prompt. (It doesn't have to be elevated.) --| Office 365 cloud | Command | -|:-|:--| -| Office 365 Worldwide (+GCC) | `Connect-MsolService` | -| Office 365 operated by 21 Vianet | `Connect-MsolService -AzureEnvironment AzureChinaCloud` | -| Office 365 Germany | `Connect-MsolService -AzureEnvironment AzureGermanyCloud` | -| Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High | `Connect-MsolService -AzureEnvironment USGovernment` | -||| +### Step 2: Connect to your Microsoft 365 subscription -In the **Sign into your account** dialog box, type your Microsoft 365 work or school account user name and password, and then select **OK**. +The PowerShell SDK supports two types of authentication: delegated access, and app-only access. In this guide, you'll use delegated access to sign in as a user, grant consent to the SDK to act on your behalf, and call the Microsoft Graph. -If you're using multi-factor authentication, follow the instructions to provide additional authentication information, such as a verification code. +For details on using app-only access for unattended scenarios, see [Use app-only authentication with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/app-only). -### How do you know it worked? +#### Determine required permission scopes -If you don't get an error message, you connected successfully. For quick test, run a Microsoft 365 cmdlet, such as **Get-MsolUser**, and see the results. - -If you get an error message, check the following issues: - -- **A common problem is an incorrect password**. Run [Step 2](#step-2-connect-to-azure-ad-for-your-microsoft-365-subscription) again, and pay close attention to the user name and password that you enter.- -- **The Microsoft Azure Active Directory module for Windows PowerShell requires that Microsoft .NET Framework 3.5.*x* is enabled on your computer**. It's likely that your computer has a newer version installed (for example, 4 or 4.5.*x*). But backward compatibility with older versions of the .NET Framework can be enabled or disabled. For more information, see the following articles:- - - For Windows Server 2012 or Windows Server 2012 R2, see [Enable .NET Framework 3.5 by using the Add Roles and Features Wizard](/previous-versions/windows/it-pro/windows-8.1-and-8/dn482071(v=win.10)). - - - For Windows 7 or Windows Server 2008 R2, see [You can't open the Azure Active Directory module for Windows PowerShell](/troubleshoot/azure/active-directory/cant-open-aad-module-powershell). +Each API in the Microsoft Graph is protected by one or more permission scopes. The user logging in must consent to one of the required scopes for the APIs you plan to use. In this example, we'll use the following APIs. - - For Windows 10, Windows 8.1, and Windows 8, see [Install the .NET Framework 3.5 on Windows 10, Windows 8.1, and Windows 8](/dotnet/framework/install/dotnet-35-windows-10). +- List users to find the user ID of the logged-in user. +- List joinedTeams to get the Teams the user is a member of. +- List channels to get the channels in a Team. +- Send message to send a message to a Team's channel. - -- **Your version of the Microsoft Azure Active Directory module for Windows PowerShell might be out of date.** To check, run the following command in PowerShell for Microsoft 365 or the Microsoft Azure Active Directory module for Windows PowerShell:- - ```powershell - (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion - ``` +The **User.Read.All** permission scope enables the first two calls, and the **Group.ReadWrite.All** scope enables the rest. These permissions require an admin account. - If the version number returned is lower than *1.0.8070.2*, uninstall the Microsoft Azure Active Directory module for Windows PowerShell and install from [Step 1](#step-1-install-the-required-software), above. +For more information about how to determine what permission scopes you'll need, see [Using Find-MgGraphCommand](/powershell/microsoftgraph/find-mg-graph-command). -- **If you get a connection error message**, see ["Connect-MsolService: Exception of type was thrown" error](/office365/troubleshoot/active-directory/connect-msoservice-throw-exception).- -- **If you get a "Get-Item: Cannot find path" error message**, run this command:+To connect to your Microsoft 365 Organization, run the following command: +``` powershell +Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All" +``` - ```powershell - (dir "C:\Program Files\WindowsPowerShell\Modules\MSOnline").Name - ``` --## Connect with the Azure Cloud Shell --To connect with and use the Azure Cloud Shell from the Microsoft 365 admin center, select the PowerShell window icon from the upper-right corner of the task bar. In the **Welcome to Azure Cloud Shell** pane, select **PowerShell**. --You will need an active Azure subscription for your organization that is tied to your Microsoft 365 subscription. If you don't already have one, you can create one. Once you have an Azure subscription, a PowerShell window opens from which you can run PowerShell commands and scripts. --For more information, see [Azure Cloud Shell](/azure/cloud-shell/overview). -+The command prompts you to go to a web page to sign in with your credentials. Once you've done that, the command indicates success with a **Welcome To Microsoft Graph!** message. You only need to sign in once per session. +> [!TIP] +> You can accretively add permissions by repeating the **Connect-MgGraph** command with the new permission scopes. ## See also - [Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)-- [Get started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)-- [Connect to all Microsoft 365 services in a single Windows PowerShell window](connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window.md)+- [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started) |
security | Configure Device Connectivity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-connectivity.md | Title: Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint --++ Devices must meet specific prerequisites to use the streamlined connectivity met **Defender Antivirus versions (macOS/Linux)** -- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23092+.* running InsiderFast (Beta) ring-- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23092+.* running InsiderFast (Beta) ring+- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23102.*+ +- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23102.*+ **Supported Operating Systems** Devices must meet specific prerequisites to use the streamlined connectivity met - Windows Server 2019 - Windows Server 2022 - Windows Server 2012 R2, Server 2016 R2, fully updated running Defender for Endpoint modern unified solution (installation through MSI).-- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23092+.* running InsiderFast (Beta) ring-- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23092+.* running InsiderFast (Beta) ring+- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23102.*+ +- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23102.*+ > [!IMPORTANT] > - **Devices running on MMA agent are not supported** on the streamlined connectivity method and will need to continue using the standard URL set (Windows 7, Windows 8.1, Windows Server 2008 R2 MMA, Server 2012 & 2016 R2 not upgraded to modern unified agent). |
security | Configure Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-environment.md | Title: Configure your network environment to ensure connectivity with Defender for Endpoint service description: Learn how to configure your network environment to connect with the Defender for Endpoint service -keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.appverid: met150 --++ ms.localizationpriority: medium The following downloadable spreadsheet lists the services and their associated U |Spreadsheet of domains list| Description| |--|--|-| Microsoft Defender for Endpoint consolidated URL list (NEW - Streamlined) <br> | **IMPORTANT:** Currently in public preview. <br> Spreadsheet of consolidated URLs for streamlining device connectivity. <br>[Download the spreadsheet here.](https://go.microsoft.com/fwlink/?linkid=2248278)<br><br> **Applicable OS:** <br/>For complete list, see [streamlined connectivity](configure-device-connectivity.md#prerequisites). <br>- Windows 10 1809+<br>- Windows 11<br>- Windows Server 2019<br>- Windows Server 2022<br>- Windows Server 2012 R2, Windows Server 2016 R2 running [Defender for Endpoint modern unified solution](configure-server-endpoints.md) (requires installation through MSI). <br>- macOS supported versions running 101.23092.* + Insider Fast <br/>- Linux supported versions running 101.23092.* + Insider Fast<br><br> **Minimum component versions:**<br/>- Antimalware client: 4.18.2211.5<br/>- Engine: 1.1.19900.2<br/>- Security intelligence: 1.391.345.0<br/> - Xplat version: 101.23092.* + on InsiderFast (Beta)<br/>- Sensor/ KB version: >10.8040.*/ March 8, 2022+<br><br>If you are moving previously onboarded devices to the streamlined approach, see [Migrating device connectivity](migrate-devices-streamlined.md). +| Microsoft Defender for Endpoint consolidated URL list (NEW - Streamlined) <br> | **IMPORTANT:** Currently in public preview. <br> Spreadsheet of consolidated URLs for streamlining device connectivity. <br>[Download the spreadsheet here.](https://go.microsoft.com/fwlink/?linkid=2248278)<br><br> **Applicable OS:** <br/>For complete list, see [streamlined connectivity](configure-device-connectivity.md#prerequisites). <br>- Windows 10 1809+<br>- Windows 11<br>- Windows Server 2019<br>- Windows Server 2022<br>- Windows Server 2012 R2, Windows Server 2016 R2 running [Defender for Endpoint modern unified solution](configure-server-endpoints.md) (requires installation through MSI). <br>- macOS supported versions running 101.23102.* + <br/>- Linux supported versions running 101.23102.* + <br><br> **Minimum component versions:**<br/>- Antimalware client: 4.18.2211.5<br/>- Engine: 1.1.19900.2<br/>- Security intelligence: 1.391.345.0<br/> - Xplat version: 101.23102.* +<br/>- Sensor/ KB version: >10.8040.*/ March 8, 2022+<br><br>If you are moving previously onboarded devices to the streamlined approach, see [Migrating device connectivity](migrate-devices-streamlined.md). |Microsoft Defender for Endpoint URL list for commercial customers (Standard)| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) <p> Microsoft Defender for Endpoint Plan 1 and Plan 2 share the same proxy service URLs. | Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <br> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx) | |
security | Deploy And Manage Using Group Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-group-policy.md | - Title: Deploy and manage using group policy -description: Use group policy to deploy and manage on printer protection. -------- m365-security-- tier2-- Previously updated : 11/16/2023----# Deploy and manage using group policy --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions. --## Licensing requirements --Before you get started with Printer protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Printer Protection through group policy, you must have Microsoft 365 E5. --## Deploy using group policy --1. Enable or Disable Device control: -- You can enable or disable Device control as follows: -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**. - - In the **Device Control** window, select **Enabled**. -- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy. " lightbox="images/enable-rsac-gp.png"::: -- The purpose of this configuration is to temporarily disable device control on specific machine. -- > [!NOTE] - > If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.admx and WindowsDefender.admx) from [samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main). - > - > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. --2. Set Default Enforcement: -- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices). -- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Select Device Control Default Enforcement Policy** -- - In the **Select Device Control Default Enforcement Policy** pane, select **Default Deny**: -- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy." lightbox="images/set-default-enforcement-deny-gp.png"::: -- > [!NOTE] - > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well. --3. Create one XML file for printer group(s): -- Use the properties in printer group to create one XML file for the printer group(s), save the XML file to network share, and define the setting as follows: -- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**. -- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups." lightbox="images/define-device-control-policy-grps-gp.png"::: -- - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data. -- Take a look at the **Overview** > **Group**. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml). -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --4. Create one XML file for access policy rule(s): -- Use the properties in printer protection policy rule(s) to create an XML for each group's printer access policy rule, save the XML file to network share, and deliver the setting as follows: -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**. -- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules." lightbox="images/define-device-cntrl-policy-rules-gp.png"::: -- - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data. -- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml). -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --5. Set location for a copy of the file (evidence): -- If you want to have a copy of the file (evidence) when Print access happens, set right **Options** in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy. -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**. -- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path. -- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png"::: --## Scenarios --Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer. --### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is corporate network, VPN connected, or print through PDF/XPS file --Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file. --You can download the files here, [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Group%20Policy). --1. Create any printer group and allowed-USB printer group and allowed-file printer group. -- 1. Group 1: Any printer group. -- :::image type="content" source="media/screenshot-of-removable-storage.png" alt-text="This is the screenshot of removable of storage." lightbox="media/screenshot-of-removable-storage.png"::: -- 2. Group 2: Allowed-USB printer group. -- :::image type="content" source="media/screenshot-of-approved-usbs.png" alt-text="This is the screenshot of approved USBs." lightbox="media/screenshot-of-approved-usbs.png"::: -- 3. Group 2: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended. -- :::image type="content" source="images/group-3.png" alt-text="This is group 3policy." lightbox="images/group-3.png"::: -- Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml). See step 3 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration. -- > [!TIP] - > Replace `&` with `&` in the value. --2. Create policy. -- 1. Create Allow and Audit policy for allowed-file printer group. -- :::image type="content" source="media/block-write-execute-access.png" alt-text="This is block write access screenshot." lightbox="media/block-write-execute-access.png"::: -- 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected. -- :::image type="content" source="media/audit-write.png" alt-text="This is the default audit write access screenshot." lightbox="media/audit-write.png"::: -- 3. Create Default Deny custom policy for any other printers. -- :::image type="content" source="images/create-default.png" alt-text="This is create default screenshot." lightbox="images/create-default.png"::: -- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration. |
security | Deploy And Manage Using Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune.md | - Title: Deploy and manage printer protection using Intune -description: Use Intune OMA-URI and Intune user interface to deploy and manage on printer protection. -------- m365-security-- tier2-- mde-asr-- Previously updated : 09/25/2023----# Deploy and manage printer protection using Intune --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions. --## Licensing requirements --Before you get started with Printer Protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Printer Protection, you must have Microsoft 365 E3. --### Permission --For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions. --- Policy and profile Manager role-- Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles-- Global administrator--## Deploy using Intune OMA-URI --Go to the Microsoft Intune admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > **Custom** > **Create**. --1. Enable or Disable Device control (Optional): -- - Under **Custom**, enter the **Name** and **Description** and select **Next**. - - In the **Configuration settings**, select **Add**. - - In the **Add Row** pane, specify the following settings: - - **Name** as **Enable Device Control** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` - - **Data Type** as **Integer** - - **Value** as **1** -- `Disable: 0` - `Enable: 1` -- - Select **Save**. -- :::image type="content" source="media/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy." lightbox="media/enable-rsac.png"::: -- The purpose of this configuration is to temporarily disable Device control on specific machine. -- > [!NOTE] - > This configuration controls both [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer Protection. --2. Set Default Enforcement: -- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`). -- - In the **Add Row** pane, specify the following settings: - - **Name** as **Default Deny** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` - - **Data Type** as **Integer** - - **Value** as **1** or **2** -- `DefaultEnforcementAllow = 1` - `DefaultEnforcementDeny = 2` -- - Select **Save**. -- :::image type="content" source="media/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny." lightbox="media/default-deny.png"::: -- > [!NOTE] - > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well. --3. Create one XML file for printer group(s): -- You can create a removable storage group for each group as follows: -- - In the **Add Row** pane, enter: - - **Name** as **Any Removable Storage Group** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData` - - **Data Type** as **String (XML file)** - - **Custom XML** as selected XML file -- Take a look at the **Overview** > **Group**. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Any%20printer%20group.xml). -- :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png"::: -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --4. Create one XML file for access policy rule(s): -- You can create a policy and apply it to related removable storage group as follows: -- - In the **Add Row** pane, enter: - - **Name** as **Allow Read Activity** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData` - - **Data Type** as **String (XML file)** - - **Custom XML** as selected XML file -- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20Authorized%20USB%20Printer.xml). -- :::image type="content" source="media/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy." lightbox= "media/allow-read-activity.png"::: -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --5. Set location for a copy of the file (Optional): -- If you want to have a copy of the file (evidence) when Print access happens, set right **Options** in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy. -- - In the **Add Row** pane, enter: - - **Name** as **Evidence folder location** - - **OMA-URI** as `./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation` - - **Data Type** as **String** -- :::image type="content" source="media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence." lightbox="media/device-control-oma-uri-edit-row.png"::: --## Scenarios (default enforcement) --Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, **Default Enforcement** hasn't been used because the **Default Enforcement** will apply to both the removable storage and the printer. --### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is Corporate Network OR VPN connected or print through PDF/XPS file --Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file. --You can download the files here, [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Intune%20OMA-URI). --1. Create any printer group and allowed-USB printer group and allowed-file printer group. -- 1. Group 1: Any printer group -- :::image type="content" source="./media/any-printer-group-xml1.png" alt-text="A screenshot of Any printer group." lightbox= "./media/any-printer-group-xml1.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Any%20printer%20group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. -- 2. Group 2: Allowed-USB printer group -- :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs." lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Authorized%20USB%20Printer.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. -- 3. Group 3: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended. -- :::image type="content" source="images/allowed-pdf.png" alt-text="This is allowed pdf."lightbox="images/allowed-pdf.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/PDF_XPS%20Printer.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. -- > [!TIP] - > Replace `&` with `&` in the value. --2. Create policy. -- 1. Create **Allow** and **Audit** policy for allowed-file printer group. -- :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1." lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20PDF_XPS%20Printer.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. -- 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected. -- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20Authorized%20USB%20Printer.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. -- 3. Create Default Deny custom policy for any other printers. -- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Default%20Deny%20-%20custom%20policy.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration. |
security | Deploy Manage Removable Storage Group Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy.md | - Title: Deploy and manage Removable Storage Access Control using group policy -description: Use group policy to deploy and manage removable storage access control. -------- m365-security-- tier2-- mde-asr-- Previously updated : 11/21/2023----# Deploy and manage Removable Storage Access Control using group policy --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--> [!NOTE] -> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806). --The Removable Storage Access Control feature enables you to apply a policy by using group policy to either user or device, or both. --## Device Control Removable Storage Access Control policies --You can use the following properties to create a removable storage group. --> [!NOTE] -> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --## Licensing requirements --Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control through group policy, you must have a standalone Microsoft Defender for Endpoint Plan 1 or Microsoft 365 E3 which includes Microsoft Defender for Endpoint Plan 1 or Microsoft 365 E5 which includes Microsoft Defender for Endpoint Plan 1 and 2. --## Deploy using group policy --1. Enable or Disable Removable Storage Access Control (Optional): -- You can enable or disable Device control as follows: -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**. - - In the **Device Control** window, select **Enabled**. -- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png"::: -- > [!NOTE] - > If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from [mdatp-devicecontrol / Removable Storage Access Control Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) on GitHub. --2. Set Default Enforcement: -- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices). -- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well. -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement** -- - In the **Select Device Control Default Enforcement** pane, select **Default Deny**: -- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png"::: --3. Create one XML file for removable storage group(s): -- Use the properties in removable storage group to create an XML file for the Removable storage group(s), save the XML file to network share, and define the setting as follows: -- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**. -- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png"::: -- - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data. -- Take a look at the **Overview** > **Removable storage group**. You can create different group types. Here's one group example XML file for any removable storage and CDROM and Windows portable devices and approved USBs group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml) - - > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --4. Create one XML file for access policy rule(s): -- Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule, save the XML file to network share, and deliver the setting as follows: -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**. -- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png"::: -- - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data. -- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml). -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --5. Set location for a copy of the file (evidence): -- If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy. -- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**. -- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path. -- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png"::: --## Scenarios --Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer. --### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs --For this scenario, you need to create two groups - one group for any removable storage and another group for approved USBs. You also need to create two policies - one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group. --1. Create groups -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices. -- :::image type="content" alt-text="A screenshot of removable storage" source="https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png"::: -- 2. Group 2: Approved USBs based on device properties. -- :::image type="content" alt-text="A screenshot of approved USBs" source="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" lightbox="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png"::: - - Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. -- > [!TIP] - > Replace `&` with `&` in the value. --2. Create policy -- 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs. -- :::image type="content" alt-text="A screenshot of block write and execute access" source="https://user-images.githubusercontent.com/81826151/188237490-d736ace1-4912-4788-9e94-3fc506692a41.png"::: --- 2. Policy 2: Audit Write and Execute access for allowed USBs. -- :::image type="content" alt-text="A screenshot of audit write and execute access" source="https://user-images.githubusercontent.com/81826151/188237598-b28dd534-9ea4-4cdd-832b-afff50f9897b.png"::: -- What does '54' mean in the policy? It's 18 + 36 = 54: -- - Write access: disk level 2 + file system level 16 = 18. - - Execute: disk level 4 + file system level 32 = 36. -- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%201%20GPO%20Policy%20-%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. --### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs --For this scenario, you need to create two groups - one group for any removable storage and another group for blocked USBs. You also need to create two policies - one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group. --1. Create groups -- 1. Group 1: Any removable storage, CD/DVD, and windows portable devices. -- :::image type="content" alt-text="A screenshot of removable storage in groups" source="https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png"::: -- 2. Group 2: Blocked USBs based on device properties. -- :::image type="content" alt-text="A screenshot of blocked USBs" source="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" lightbox="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png"::: - - Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. -- > [!TIP] - > Replace `&` with `&` in the value. --2. Create policy -- 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs. -- :::image type="content" alt-text="A screenshot of specific unapproved USBs" source="https://user-images.githubusercontent.com/81826151/188239025-218a1985-b198-4f7e-b323-b4b6fb7e274e.png" lightbox="https://user-images.githubusercontent.com/81826151/188239025-218a1985-b198-4f7e-b323-b4b6fb7e274e.png"::: -- 2. Policy 2: Audit Write and Execute access for others. -- :::image type="content" alt-text="A screenshot of audit write and execute access in group policy" source="https://user-images.githubusercontent.com/81826151/188239144-3e6a2781-6927-487a-aa01-498a0904ad98.png" lightbox="https://user-images.githubusercontent.com/81826151/188239144-3e6a2781-6927-487a-aa01-498a0904ad98.png"::: -- What does '54' mean in the policy? It's 18 + 36 = 54: -- - Write access: disk level 2 + file system level 16 = 18. - - Execute: disk level 4 + file system level 32 = 36. -- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%202%20GPO%20Policy%20-%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. --### Scenario 3: Block read and execute access to specific file extension --For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy - deny read and execute access to any file under the allowed file extension group for defined removable storage group. --1. Create groups -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices. -- 2. Group 2: Unallowed file extensions. - - Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Block%20Read%20and%20Write%20access%20to%20specific%20file%20_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. -- > [!TIP] - > Explicitly mark the Type attribute on the group as **File** -- 2. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group. -- :::image type="content" alt-text="image" source="https://user-images.githubusercontent.com/81826151/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png"::: - - What does '40' mean in the policy? It's 8 + 32 = 40: -- - only need to restrict file system level access -- Although this case only has one policy, make sure put it under PolicyRules [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Block%20Read%20and%20Write%20access%20to%20specific%20file%20_Policy.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration. - |
security | Deploy Manage Removable Storage Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune.md | - Title: Deploy and manage Removable Storage Access Control using Intune -description: Use Intune OMA-URI and Intune user interface to deploy and manage removable storage access control. -------- m365-security-- tier2-- mde-asr-- Previously updated : 12/14/2023----# Deploy and manage Removable Storage Access Control using Intune --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--> [!NOTE] -> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806). --The Removable Storage Access Control feature enables you to apply policy by using OMA-URI or by using Intune user interface to either user or device, or both. --|Capability|Intune OMA-URI|Intune user interface| -|||| -|Enable or Disable Device control|supported|not supported| -|Set Default Enforcement|supported|not supported| -|Create Removable storage group|supported|supported| -|Control Disk level access|supported|supported| -|Control File level access|supported|not supported| -|Set location for a copy of the file|supported|not supported| -|File Parameter|supported|not supported| -|Network location|supported|not supported| --## Licensing requirements --Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3. --### Permission --For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions. --- Policy and profile Manager role-- Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles-- Global administrator--## Deploy Removable Storage Access Control by using Intune OMA-URI --Go to the Microsoft Intune admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > **Custom** > **Create**. --1. Enable or Disable Device control (Optional): -- - Under **Custom**, enter the **Name** and **Description** and select **Next**. - - In the **Configuration settings**, select **Add**. - - In the **Add Row** pane, specify the following settings: - - **Name** as **Enable Device Control** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` - - **Data Type** as **Integer** - - **Value** as **1** -- `Disable: 0` - `Enable: 1` -- - Select **Save**. -- :::image type="content" source="media/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="media/enable-rsac.png"::: --2. Set Default Enforcement (Optional): -- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`). -- To block a specific removable storage class but allow specific media, you can use '`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`/`HardwareId`/etc.' For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md). -- For example, you can have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well. -- - In the **Add Row** pane, specify the following settings: - - **Name** as **Default Deny** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` - - **Data Type** as **Integer** - - **Value** as **1** or **2** -- `DefaultEnforcementAllow = 1` - `DefaultEnforcementDeny = 2` -- - Select **Save**. -- :::image type="content" source="media/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="media/default-deny.png"::: --3. Create one XML file for each group: -- You can create a removable storage group for each group as follows: -- - In the **Add Row** pane, enter: - - **Name** as **Any Removable Storage Group** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData` - - **Data Type** as **String (XML file)** - - **Custom XML** as selected XML file -- Take a look at the **Overview** -> **Removable storage group**, you can create different group types. Here's a [group example XML file for any removable storage and CD-ROM and Windows portable devices](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). - - To get the GroupId, sign in to the **Microsoft Intune admin center** and select **Groups** > **Copy the Object ID**. -- :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png"::: -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --4. Create one XML file for each access control or policy rule: -- You can create a policy and apply it to related removable storage group as follows: -- - In the **Add Row** pane, enter: - - **Name** as **Allow Read Activity** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData` - - **Data Type** as **String (XML file)** - - **Custom XML** as selected XML file -- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml). -- :::image type="content" source="media/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "media/allow-read-activity.png"::: -- > [!NOTE] - > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. --5. Set location for a copy of the file (Optional): -- If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy. -- - In the **Add Row** pane, enter: - - **Name** as **Evidence folder location** - - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation` - - **Data Type** as **String** -- :::image type="content" source="media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence" lightbox="media/device-control-oma-uri-edit-row.png"::: --## Scenarios (default enforcement) --Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer. --### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs --For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group. --1. Create groups. -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices. -- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage" lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- 2. Group 2: Approved USBs based on device properties. -- :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs" lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- > [!TIP] - > Replace `&` with `&` in the value in the XML file. --2. Create policy -- 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs. -- :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1" lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- 2. Policy 2: Audit Write and Execute access for allowed USBs. -- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2" lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png"::: -- What does `54` mean in the policy? It's `18 + 36 = 54`. -- - Write access: disk level 2 + file system level 16 = 18. - - Execute: disk level 4 + file system level 32 = 36. -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Audit%20Write%20and%20Execute%20access%20to%20aproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. --### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs --For this scenario, you need to create two groups: one group for any removable storage and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group. --1. Create groups -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices. -- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- 2. Group 2: Unapproved USBs based on device properties. -- :::image type="content" source="media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png" alt-text="A screenshot of group 2" lightbox= "media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unapproved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- > [!TIP] - > Replace `&` with `&` in the value in the XML file. --2. Create policy -- 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs. -- :::image type="content" source="media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png" alt-text="A screenshot of policy for blocking unapproved USBs" lightbox= "media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- 2. Policy 2: Audit Write and Execute access for others. -- :::image type="content" source="media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png" alt-text="A screenshot of audit write and execute access" lightbox= "media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png"::: -- What does `54` mean in the policy? It's `18 + 36 = 54`. -- - Write access: disk level 2 + file system level 16 = 18. - - Execute: disk level 4 + file system level 32 = 36. -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20others.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. --### Scenario 3: Block read and execute access to specific file extension --For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy: deny read and execute access to any file under the unallowed file extension group for a defined removable storage group. --1. Create groups. -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices. -- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png"::: -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- 2. Group 2: Unallowed file extensions. -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unauthorized%20File%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. -- > [!TIP] - > Explicitly mark the Type attribute on the group as **File** -- 3. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group. -- :::image type="content" source="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png" alt-text="Screenshot of OMA-URI settings." lightbox="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png"::: -- What does `40` mean in the policy? It's `8 + 32 = 40`. -- - only need to restrict file system level access -- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Deny%20Read%20and%20Write%20access%20to%20specific%20files.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration. --## Deploy Removable Storage Access Control by using Intune user interface --This capability is available in the Microsoft Intune admin center (<https://endpoint.microsoft.com/>). --Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**. --## Scenarios (USB devices) --Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer. --### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs --For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group. --1. To set up the groups you'll need, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Reusable settings** \> **Add**. For more details, see **DescriptorIdList** on the [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md#group). -- 1. For group 1, configure any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots: -- :::image type="content" source="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png" alt-text="Screenshot showing removable device settings." lightbox="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png"::: -- :::image type="content" source="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png" alt-text="Screenshot showing additional removable device settings." lightbox="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png"::: -- 2. For group 2, choose **+ Add** to create another group for approved USBs, based on device properties, as shown in the following screenshot: -- :::image type="content" source="media/208774190-b700f7cb-0d0e-4d27-955b-23be9c0cb7b5.png" alt-text="Screenshot showing additional group for approved USB devices." lightbox="media/208774190-b700f7cb-0d0e-4d27-955b-23be9c0cb7b5.png"::: --2. To set up your policy, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Create Policy**. --3. Choose **Platform**: **Windows 10 and later** with **Profile: Device Control**. Select **Device Control**: **Configured**. -- 1. Set up Policy 1: Audit Write and Execute access for allowed USBs. -- - Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208774439-b46795ce-e9c0-41ec-a3f7-26feefa6b2e7.png" alt-text="Screenshot showing auditing settings for policy 1." lightbox="media/208774439-b46795ce-e9c0-41ec-a3f7-26feefa6b2e7.png"::: -- - Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot: -- :::image type="content" source="media/208774532-d8d3f0a0-5ce3-401b-bb8b-2b75383d6cf7.png" alt-text="Screenshot showing auditing settings being edited." lightbox="media/208774532-d8d3f0a0-5ce3-401b-bb8b-2b75383d6cf7.png"::: -- 2. Set up Policy 2. Choose **+ Add** to create another policy for **Block Write and Execute access for any removable storage group**. -- - Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208774632-5a568173-c6af-4a64-8236-e0ec5f835147.png" alt-text="Screenshot showing the ID for reusable settings." lightbox="media/208774632-5a568173-c6af-4a64-8236-e0ec5f835147.png"::: -- - Choose **+ Set reusable settings** for **Excluded ID** to exclude authorized USBs, and then choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208774743-6b584ac3-3373-4650-9af8-d340ffa9ceae.png" alt-text="Screenshot showing excluded ID settings." lightbox="media/208774743-6b584ac3-3373-4650-9af8-d340ffa9ceae.png"::: -- - Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot: -- :::image type="content" source="media/208774780-39818049-07ee-4bee-824c-25a7cf235227.png" alt-text="Screenshot showing editing an entry for policy 2." lightbox="media/208774780-39818049-07ee-4bee-824c-25a7cf235227.png"::: --### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs --For this scenario, you need to create two groups: one group for any removable storage, and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group, and the other policy to deny the blocked USBs group. --1. To create groups, go to **Endpoint Security** > **Attack Surface Reduction** > **Reusable settings** > **Add**. For more details, see **DescriptorIdList** on the [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md#group). -- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots: -- :::image type="content" source="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png" alt-text="Screenshot showing removable storage example." lightbox="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png"::: -- And here's another example: -- :::image type="content" source="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png" alt-text="Screenshot showing a second example of removable storage." lightbox="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png"::: --2. To create your policy, go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform**: **Windows 10 and later** with **Profile: Device Control**. Select **Device Control**: **Configured**. -- 1. Policy 1: Block unauthorized USBs. Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208775137-c5a98123-b488-4e1a-9695-9b93b1d8f45b.png" alt-text="Screenshot showing the included ID for settings." lightbox="media/208775137-c5a98123-b488-4e1a-9695-9b93b1d8f45b.png"::: -- Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot: -- :::image type="content" source="media/208775203-439bb8b5-e45a-47a7-9828-51ea9d5cfe95.png" alt-text="Screenshot showing Entry being edited." lightbox="media/208775203-439bb8b5-e45a-47a7-9828-51ea9d5cfe95.png"::: -- 2. Policy 2: Choose **+ Add** to create another policy for 'Audit Write and Execute access for any removable storage group'. Choose **+ Set reusable settings** for **Included ID**, and then choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208775292-485a13e4-533c-4efc-97a4-611786d02fd1.png" alt-text="Screenshot showing reusable settings." lightbox="media/208775292-485a13e4-533c-4efc-97a4-611786d02fd1.png"::: -- Choose **+ Set reusable settings** for **Excluded ID** to exclude authorized USBs, and then choose **Select**, as shown in the following screenshot: -- :::image type="content" source="media/208775330-79c69f54-513e-49b2-8b9f-2fdf8293ee35.png" alt-text="Screenshot showing excluded ID in reusable settings." lightbox="media/208775330-79c69f54-513e-49b2-8b9f-2fdf8293ee35.png"::: -- Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot: -- :::image type="content" source="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png" alt-text="Screenshot showing edit mode for an entry." lightbox="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png"::: |
security | Device Control Deploy Manage Gpo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo.md | + + Title: Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy +description: Learn how to deploy and manage device control in Defender for Endpoint using Group Policy +++ Last updated : 01/31/2024++++audience: ITPro ++- m365-security +- tier2 +- mde-asr ++- partner-contribution ++search.appverid: MET150 +f1.keywords: NOCSH +++# Deploy and manage device control in Microsoft Defender for Endpoint using Group Policy ++If you're using Group Policy to manage Defender for Endpoint settings, you can use it to deploy and manage device control. ++## Enable or disable removable storage access control +++1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Features** \> **Device Control**. ++2. In the **Device Control** window, select **Enabled**. ++> [!NOTE] +> If you don't see these Group Policy Objects, you need to add the Group Policy Administrative Templates (ADMX). You can download administrative template ([WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/WindowsDefender.admx)) from [mdatp-devicecontrol / Windows samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/windows) in GitHub. ++## Set default enforcement ++You can set default access such as, `Deny` or `Allow` for all device control features, such as `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, and `PrinterDevices`. +++For example, you can have either a `Deny` or an `Allow` policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. If you set `Default Deny` through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` is blocked. If you only want to manage storage, make sure to create `Allow` policy for printers. Otherwise, default enforcement (Deny) is applied to printers, too. ++1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Features** \> **Device Control** \> **Select Device Control Default Enforcement Policy**. ++2. In the **Select Device Control Default Enforcement Policy** window, select **Default Deny**. ++## Configure device types +++To configure the device types that a device control policy is applied, follow these steps: ++1. On a computer running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Turn on device control for specific device types**. ++2. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`. ++## Define groups +++1. Create one XML file for each removable storage group. ++2. Use the properties in your removable storage group to create an XML file for each removable storage group. ++3. Save each XML file to your network share. ++4. Define the settings as follows: ++ 1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**. ++ 2. In the **Define device control policy groups** window, specify the network share file path containing the XML groups data. ++You can create different group types. Here's one group example XML file for any removable storage and CD-ROM, Windows portable devices, and approved USBs group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Group%20Policy/Scenario%202%20GPO%20Removable%20Storage%20Group.xml) ++> [!NOTE] +> Comments using XML comment notation `<!--COMMENT-->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. ++## Define Policies ++++1. Create one XML file for access policy rule. ++2. Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule. ++3. Save the XML file to network share. ++4. Define the settings as follows: ++ 1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy rules**. ++ 2. In the **Define device control policy rules** window, select **Enabled**, and then specify the network share file path containing the XML rules data. ++> [!NOTE] +> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. ++## Set location for a copy of the file (evidence) +++If you want to have a copy of the file (evidence) having Write access, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy. ++1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define Device Control evidence data remote location**. ++2. In the **Define Device Control evidence data remote location** window, select **Enabled**, and then specify the local or network share folder path. ++## Retention period for local evidence cache +++If you want to change the default value of 60 days for persisting the local cache for file evidence, follow these steps: ++1. Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Set the retention period for files in the local device control cache**. ++2. In the **Set the retention period for files in the local device control cache** window, select **Enabled**, and then enter the number of days to retain the local cache (default 60). ++## See also ++- [Device control in Defender for Endpoint](device-control-overview.md) +- [Device control policies in and settings](device-control-policies.md) +- [Device Control for macOS](mac-device-control-overview.md) |
security | Device Control Deploy Manage Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune.md | + + Title: Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune +description: Learn how to deploy and manage device control in Defender for Endpoint using Microsoft Intune +++ Last updated : 02/01/2024++++audience: ITPro ++- m365-security +- tier2 +- mde-asr ++- partner-contribution ++search.appverid: MET150 +f1.keywords: NOCSH +++# Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune ++If you're using Intune to manage Defender for Endpoint settings, you can use it to deploy and manage device control capabilities. Different aspects of device control are managed differently in Intune, as described in the following sections. ++## Configure and manage device control in Intune ++1. Go to the [Intune admin center](https://intune.microsoft.com) and sign in. ++2. Go to **Endpoint security** > **Attack surface reduction**. ++3. Under **Attack surface reduction policies**, either select an existing policy, or select **+ Create Policy** to set up a new policy, using these settings: ++ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**. (Device control is not currently supported on Windows Server, even though you select this profile for device control policies.) + - In the **Profile** list, select **Device Control**. ++4. On the **Basics** tab, specify a name and description for your policy. ++5. On the **Configuration settings** tab, you see a list of settings. You don't have to configure all of these settings at once. Consider starting with **Device Control**. ++ :::image type="content" source="media/device-control-policy-intune.png" alt-text="Screeenshot of Intune user interface for device control policies." lightbox="media/device-control-policy-intune.png"::: ++ - Under **Administrative Templates**, you have [Device Installation](/windows/client-management/mdm/policy-csp-deviceinstallation?WT.mc_id=Portal-fx) and [Removable Storage Access](/windows/client-management/mdm/policy-csp-admx-removablestorage) settings. + - Under **Defender**, see [Allow Full Scan Removable Drive Scanning](/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning) settings. + - Under **Data Protection**, see [Allow Direct Memory Access](/windows/client-management/mdm/policy-csp-dataprotection) settings. + - Under **Dma Guard**, see [Device Enumeration Policy](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx) settings. + - Under **Storage**, see [Removable Disk Deny Write Access](/windows/client-management/mdm/policy-csp-Storage#removablediskdenywriteaccess) settings. + - Under **Connectivity**, see [Allow USB Connection](/windows/client-management/mdm/policy-csp-Connectivity#allowusbconnection)** and [Allow Bluetooth](/windows/client-management/mdm/policy-csp-Connectivity#allowbluetooth) settings. + - Under **Bluetooth**, see a list of settings that pertain to Bluetooth connections and services. For more details, see [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-Bluetooth?WT.mc_id=Portal-fx). + - Under **Device Control**, you can configure custom policies with reusable settings. For more details, see [Device control overview: Rules](device-control-policies.md#rules). ++6. After you have configured your settings, proceed to the **Scope tags** tab, where you can specify [scope tags](/mem/intune/fundamentals/scope-tags) for the policy. ++7. On the **Assignments** tab, specify groups of users or devices to receive your policy. For more details, see [Assign policies in Intune](/mem/intune/configuration/device-profile-assign). ++8. On the **Review + create** tab, review your settings, and make any needed changes. ++9. When you're ready, select **Create** to create your device control policy. ++## Device control profiles ++In Intune, each row represents a device control policy. The included ID is the reusable setting that the policy applies to. The excluded ID is the reusable setting that's excluded from the policy. The entry for the policy contains the permissions allowed and the behavior for device control that comes into force when the policy applies. +++For information on how to add the reusable groups of settings that are included in the row of each device control policy, see the *Add reusable groups to a Device Control profile* section in [Use reusable groups of settings with Intune policies](/mem/intune/protect/reusable-settings-groups). ++Policies can be added and removed using the **+** and **ΓÇô** icons. The name of the policy appears in the warning to users, and in advanced hunting and reports. ++> [!NOTE] +> The order in the UX isn't preserved for policies enforcement. The best practice is to set the default enforcement to DENY, and then use **Allow policies**. Ensure that the **Allow policies** option is non-intersecting by explicitly adding devices to be excluded. ++## Defining Settings with OMA-URI ++To use the following table, identify the setting you want to configure, and then use the information in the OMA-URI and data type & values columns. Settings are listed in alphabetical order. ++| Setting | OMA-URI, data type, & values | +||| +| **Device control default enforcement** <br/>Default enforcement establishes what decisions are made during device control access checks when none of the policy rules match | `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`<br/><br/>Integer: <br/>- `DefaultEnforcementAllow` = `1`<br/>- `DefaultEnforcementDeny` = `2` | +| **Device types** <br/>Device types, identified by their Primary IDs, with device control protection turned on | `./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration`<br/><br/>String:<br/>- `RemovableMediaDevices`<br/>- `CdRomDevices`<br/>- `WpdDevices`<br/>- `PrinterDevices` | +| **Enable device control** <br/>Enable or disable device control on the device | `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`<br/><br/>Integer:<br/>- Disable = `0`<br/>- Enable = `1` | +| **Evidence data remote location** <br/>Device control moves evidence data captured | `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`<br/><br/>String | +| **Local evidence cache duration** <br/>Sets the retention period in days for files in the local device control cache | `./Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod`<br/><br/>Integer <br/>Example: `60` (60 days) | ++### Creating policies with OMA-URI +++When you create policies with OMA-URI in Intune, create one XML file for each policy. As a best practice, use the Device Control Profile or Device Control Rules Profile to author custom policies. ++In the **Add Row** pane, specify the following settings: ++- In the **Name** field, type `Allow Read Activity`. +- In the **OMA-URI** field, type `/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`. +- In the **Data Type** field, select **String (XML file)**, and use **Custom XML**. ++You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml). ++> [!NOTE] +> Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. ++### Creating groups with OMA-URI +++When you create groups with OMA-URI in Intune, create one XML file for each group. As a best practice, use reusable settings to define groups. ++In the **Add Row** pane, specify the following settings: ++- In the **Name** field, type `Any Removable Storage Group`. +- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**.) +- In the **Data Type** field, select **String (XML file)**, and use **Custom XML**. ++> [!NOTE] +> Comments using XML comment notation `<!-- COMMENT -- >` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file. ++## Configure removable storage access control using OMA-URI ++1. Go to the [Microsoft Intune admin center](https://intune.microsoft.com) and sign in. ++2. Choose **Devices** > **Configuration profiles**. The **Configuration profiles** page appears. ++3. Under the **Policies** tab (selected by default), select **+ Create**, and choose **+ New policy** from the drop-down that appears. The **Create a profile** page appears. ++4. In the **Platform** list, select **Windows 10, Windows 11, and Windows Server** from the **Platform** drop-down list, and choose **Templates** from the **Profile type** drop-down list. ++ Once you choose **Templates** from the **Profile type** drop-down list, the **Template name** pane is displayed, along with a search box (to search the profile name). ++5. Select **Custom** from the **Template name** pane, and select **Create**. ++6. Create a row for each setting, group, or policy by implementing Steps 1-5. ++## View device control groups (Reusable settings) ++In Intune, device control groups appear as reusable settings. ++1. Go to the [Microsoft Intune admin center](https://endpoint.microsoft.com) and sign in. ++2. Go to **Endpoint Security** > **Attack Surface Reduction**. ++3. Select the **Reusable Settings** tab. + +## See also ++- [Device control in Defender for Endpoint](device-control-overview.md) +- [Device control policies and settings](device-control-policies.md) +- [Device Control for macOS](mac-device-control-overview.md) |
security | Device Control Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-faq.md | + + Title: Microsoft Defender for Endpoint Device Control frequently asked questions +description: Answers frequently asked questions about device control in Defender for Endpoint +++++ms.localizationpriority: medium ++audience: ITPro ++- m365-security +- tier3 +- mde-asr ++ Last updated : 01/25/2024++search.appverid: met150 +++# Microsoft Defender for Endpoint Device Control frequently asked questions ++**Applies to:** +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business](/microsoft-365/security/defender-business) +++This article provides answers to frequently asked questions about device control removable storage capabilities in Microsoft Defender for Endpoint. ++## How do I generate GUID for Group ID/PolicyRule ID/Entry ID? ++You can generate the GUID through online open source or by using PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). ++![Screenshot of GUID in PowerShell.](https://user-images.githubusercontent.com/81826151/159046476-26ea0a21-8087-4f01-b8ae-5aa73b392d8f.png) ++## What are the removable storage media and policy limitations? ++The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users. ++## Why doesn't the policy work? ++The most common reason is there's no required anti-malware client version. ++Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update. ++If you're deploying and managing the policy by using Group Policy, make sure to combine all policy rules into one XML file within a parent node called `PolicyRules`. Also, combine all groups into one XML file within a parent node called `Groups`. If you're managing devices with Intune, keep separate XML files for each group and policy when deploying as `Custom OMA-URI`. ++The device (machine) should have a valid certificate. Run the following command on the machine to check: ++`Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe` ++![Screenshot showing results of Get-AuthenticodeSignature cmdlet.](https://user-images.githubusercontent.com/81826151/202582101-5470dd54-ef32-4448-80c9-ba23a721dc70.png) ++If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command: ++`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles` ++## Why is there no configuration UX for some policy groups? ++There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.admx) files. ++## How do I confirm that the latest policy has been deployed to the target machine? ++You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine. +++## How can I know which machine is using out of date anti-malware client version in the organization? ++You can use following query to get anti-malware client version on the Microsoft 365 security portal: ++```kusto +//check the anti-malware client version +DeviceFileEvents +|where FileName == "MsMpEng.exe" +|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\" +|extend PlatformVersion=tostring(split(FolderPath, "\\", 5)) +//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion +|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion +|order by PlatformVersion desc +``` ++## How do I find the media property in the Device Manager? ++1. Plug in the media. ++2. Open Device Manager. ++ ![Screenshot of Device Manager.](https://user-images.githubusercontent.com/81826151/181859412-affd6aa1-09ad-44bf-9541-330499cc2c87.png) ++3. Locate the media in the Device Manager, right-click, and then select **Properties**. ++ :::image type="content" alt-text="Screenshot of media in the Device Manager." source="https://user-images.githubusercontent.com/81826151/181859700-62a6f704-b12e-41e3-a048-7d63432654a4.png"::: ++4. Open **Details**, and then select **Properties**. ++ :::image type="content" alt-text="Screenshot of right-click menu for disk drives in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png"::: + +Another way is to deploy an Audit policy to the organization, and see the events in advanced hunting or the device control report. + +<a name='how-do-i-find-sid-for-azure-ad-group'></a> ++## How do I find Sid for Microsoft Entra group? ++Different from Microsoft Entra groups, the Sid is using Object Id for Microsoft Entra group. You can find the Object Id from Azure portal. ++![image](https://user-images.githubusercontent.com/81826151/200895994-cc395452-472f-472e-8d56-351165d341a7.png) ++## Why is my printer blocked in my organization? ++The **Default Enforcement** setting is for all device control components, which means if you set it to `Deny`, it will block all printers as well. You can either create custom policy to explicitly allow printers or you can replace the Default Enforcement policy with a custom policy. ++## Why is creating a folder not blocked by File system level access? +Creating an empty folder will not be blocked even if **File system level access** Write access Deny is configured. Any non-empty file will be blocked. ++## Why is my USB still blocked with an allow-ready policy? +Some specific USB devices require more than Read access, the following list shows some examples: +1. To Read access some Kingston encrypted USBs requires Execute access for its CDROM. +2. To Read access some WD My Passport USBs requires Disk level Write access. For this case, if you want to deny Write access, you should use the **File system level access** ++The best way to understand this is to check the event on the Advanced hunting which will clearly show what accessMask is required. ++## Can I use both Group Policy and Intune deploy policies? ++You can use Group Policy and Intune to manage device control, but for one machine, use *either* Group Policy *or* Intune. If a machine is covered by both, device control will only apply the Group Policy setting. ++## Is device control available in Microsoft Defender for Business? ++Yes, for Windows and Mac. ++To set up device control on Windows, use [attack surface reduction rules in Defender for Business](/microsoft-365/security/defender-business/mdb-asr). You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). The standalone version of Defender for Business does not include Intune, but it can be added on. [Microsoft 365 Business Premium](/microsoft-365/business-premium) does include Intune. See [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md). ++To set up device control on Mac, use Intune or Jamf. See [Device Control for macOS](mac-device-control-overview.md). |
security | Device Control Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-overview.md | + + Title: Device control in Microsoft Defender for Endpoint +description: Get an overview of device control, including removable storage access control and device installation policies in Defender for Endpoint +++ Last updated : 01/30/2024++++audience: ITPro ++- m365-security +- tier2 +- mde-asr ++- partner-contribution ++search.appverid: MET150 +f1.keywords: NOCSH +++# Device control in Microsoft Defender for Endpoint ++Device control capabilities in Microsoft Defender for Endpoint enable your security team to control whether users can install and use peripheral devices, like removable storage (USB thumb drives, CDs, disks, etc.), printers, Bluetooth devices, or other devices with their computers. Your security team can configure device control policies to configure rules like these: ++- Prevent users from installing and using certain devices (like USB drives) +- Prevent users from installing and using *any* external devices with specific exceptions +- Allow users to install and use specific devices +- Allow users to install and use only [BitLocker](/windows/security/operating-system-security/data-protection/bitlocker/)-encrypted devices with Windows computers ++This list is intended to provide some examples. It's not an exhaustive list; there are other examples to consider (see the [device control in Windows](#device-control-in-windows) section in this article). ++Device control helps protect your organization from potential data loss, malware, or other cyberthreats by allowing or preventing certain devices to be connected to users' computers. With device control, your security team can determine whether and what peripheral devices users can install and use on their computers. ++## Device control in Windows ++This section lists scenarios for device control in Windows. ++> [!TIP] +> If you're using Mac, device control can control access to Bluetooth, iOS devices, portable devices such as cameras, and removable media such as USB devices. See [Device Control for macOS](mac-device-control-overview.md). ++Select a tab, review the scenarios, and then identify the type of device control policy to create. ++## [**Removable storage**](#tab/Removable) ++| Scenario | Device control policy | +||| +| Prevent installation of a specific USB device | Device control in Windows. See [Device control policies](device-control-policies.md). | +| Prevent installation of all USB devices while allowing an installation of only an authorized USB | Device control in Windows. See [Device control policies](device-control-policies.md). | +| Prevent Write and Execute access to all but allow specific approved USBs | Device control in Defender for Endpoint. See [Device control policies](device-control-policies.md). | +| Audit Write and Execute access for all but block specific blocked USBs | Device control in Defender for Endpoint. See [Device control policies](device-control-policies.md). | +| Block read and execute access to specific file extension | Device control in Microsoft Defender. See [Device control policies](device-control-policies.md). | +| Block people from access removable storage when the machine isn't connecting corporate network | Device control in Microsoft Defender. See [Device control policies](device-control-policies.md). | +| Block write access to removable data drives not protected by BitLocker | Device control in Windows. See [BitLocker](/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common). | +| Block write access to devices configured in another organization | Device control in Windows. See [BitLocker](/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common). | +| Prevent copying of sensitive files to USB | [Endpoint DLP](/purview/endpoint-dlp-learn-about) | ++++## [**Printers**](#tab/Printers) ++| Scenario | Device control policy | +||| +| Block people from printing via noncorporate printers | Device control in Defender for Endpoint. See [Device control policies](device-control-policies.md). | +| Only allow specific USB printer(s) by VID/PID | Device control in Defender for Endpoint. See [Device control policies](device-control-policies.md). | +| Prevent installation of all printers | Device control in Windows. See [Device control policies](device-control-policies.md). | +| Prevent installation of a specific printer | Device control in Windows. See [Device control policies](device-control-policies.md). | +| Prevent installation of all printers while allowing a specific printer to be installed | Device control in Windows. See [Device control policies](device-control-policies.md). | +| Block printing of sensitive documents to any printer | [Endpoint DLP](/purview/endpoint-dlp-learn-about) | +++## [**Bluetooth**](#tab/Bluetooth) ++| Scenario | Device control policy | +||| +| Block copying of sensitive document to any Bluetooth Device | [Endpoint DLP](/purview/endpoint-dlp-learn-about) | ++++## Supported devices ++Device control supports Bluetooth devices, CD/ROMs and DVD devices, printers, USB devices, and other types of portable devices. On a Windows device, based on the driver, some peripheral devices are marked as removable. The following table lists examples of devices that device control supports with their `primary_id` values and media class names: ++| Device type | `PrimaryId` in Windows | `primary_id` in macOS | Media Class Name | +||||| +| Bluetooth devices | | `bluetoothDevice` | `Bluetooth Devices` | +| CD/ROMs, DVDs | `CdRomDevices` | | `CD-Roms` | +| iOS devices | | `appleDevice` | | +| Portable devices (such as cameras) | | `portableDevice` | | +| Printers | `PrinterDevices` | | `Printers` | +| USB devices (removable media) | `RemovableMediaDevices` | `removableMedia` | `USB` | +| Windows Portable Devices | `WpdDevices` | | `Windows Portable Devices (WPD)` | ++## Categories of Microsoft device control capabilities ++Device control capabilities from Microsoft can be organized into three main categories: device control in Windows, device control in Defender for Endpoint, and Endpoint Data Loss Prevention (Endpoint DLP). ++- **Device control in Windows**. The Windows operating system has built-in device control capabilities. Your security team can configure device installation settings to prevent (or allow) users from installing certain devices on their computers. Policies are applied at the device level, and use various device properties to determine whether or not a user can install/use a device. Device control in Windows works with BitLocker and ADMX templates, and can be managed using Intune. ++ - **BitLocker and Intune**. [BitLocker](/windows/security/operating-system-security/data-protection/encrypted-hard-drive) is a Windows security feature that provides encryption for entire volumes. Together with [Intune](/mem/intune/fundamentals/what-is-intune), policies can be configured to enforce encryption on devices using BitLocker for Windows (and FileVault for Mac). For more information, see [Disk encryption policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-disk-encryption-profile-settings). ++ - **Administrative Templates (ADMX) and Intune**. You can use ADMX templates to create policies that restrict or allow specific types of USB devices to be used with computers. For more information, see [Restrict USB devices and allow specific USB devices using ADMX templates in Intune](/mem/intune/configuration/administrative-templates-restrict-usb). ++- **Device control in Defender for Endpoint**. Device control in Defender for Endpoint provides more advanced capabilities and is cross platform. You can configure device control settings to prevent (or allow) users to have Read, Write, or Execute access to content on removable storage devices. You can define exceptions, and you can choose to employ audit policies that detect but don't block users from accessing their removable storage devices. Policies are applied at the device level, user level, or both. Device control in Microsoft Defender can be managed using Intune. ++ - **Device control in Microsoft Defender and Intune**. Intune provides a rich experience for managing complex device control policies for organizations. You can configure and deploy device restriction settings in Defender for Endpoint, for example. See [Configure device restriction settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-configure). ++- **Endpoint data loss prevention** (Endpoint DLP). Endpoint DLP monitors sensitive information on devices that are onboarded to Microsoft Purview solutions. DLP policies can enforce protective actions on sensitive information and where it's stored or used. [Learn about Endpoint DLP](/purview/endpoint-dlp-learn-about). ++See the [device control scenarios](#device-control-in-windows) section (in this article) for more details about these capabilities. +++## Device control samples and scenarios ++Device control in Defender for Endpoint provides your security team with a robust access control model that enables a wide range of scenarios (see [Device control policies](device-control-policies.md)). We have put together a GitHub repository that contains samples and scenarios you can explore. See the following resources: ++- [Device control samples README](https://github.com/microsoft/mdatp-devicecontrol/blob/main/README.md) +- [Getting started with device control samples on Windows devices](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/Getting%20Started/readme.md) +- [Device control for macOS samples](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/README.md) ++If you're new to device control, see [Device control walkthroughs](device-control-walkthroughs.md). ++## Prerequisites ++Device control in Defender for Endpoint can be applied to devices running Windows 10 or Windows 11 that have the anti-malware client version `4.18.2103.3` or later. (Currently, servers are not supported.) ++- `4.18.2104` or later: Add `SerialNumberId`, `VID_PID`, filepath-based GPO support, and `ComputerSid` +- `4.18.2105` or later: Add Wildcard support for `HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId`, the combination of specific user on specific machine, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support +- `4.18.2107` or later: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add `AccountName` into advanced hunting +- `4.18.2205` or later: Expand the default enforcement to Printer. If you set it to Deny, it blocks Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer +- `4.18.2207` or later: Add File support; the common use case can be: block people from Read/Write/Execute access specific file on removable storage. Add Network and VPN Connection support; the common use case can be: block people from access removable storage when the machine isn't connecting corporate network. ++For Mac, see [Device Control for macOS](mac-device-control-overview.md). ++Currently, device control is not supported on servers. ++## Next steps ++- [Device control walkthroughs](device-control-walkthroughs.md) +- [Learn about Device control policies](device-control-policies.md) +- [View device control reports](device-control-report.md) |
security | Device Control Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md | + + Title: Device control policies in Microsoft Defender for Endpoint +description: Learn about Device control policies in Defender for Endpoint +++ Last updated : 02/01/2024++++audience: ITPro ++- m365-security +- tier2 +- mde-asr ++- partner-contribution ++search.appverid: MET150 +f1.keywords: NOCSH +++# Device control policies in Microsoft Defender for Endpoint ++This article describes device control policies, rules, entries, groups, and advanced conditions. Essentially, device control policies define access for a set of devices. The devices that are in scope are determined by a list of included device groups and a list of excluded device groups. A policy applies if the device is in all of the included device groups and none of the excluded device groups. If no policies apply, then the default enforcement is applied. ++By default device control is disabled, so access to all types of devices is allowed. To learn more about device control, see [Device control in Microsoft Defender for Endpoint](device-control-overview.md). ++## Controlling default behavior ++When device control is enabled, it's enabled for all device types by default. The default enforcement can also be changed from *Allow* to *Deny*. Your security team can also configure the types of devices that device control protects. The following table below illustrates how various combinations of settings change the access control decision. ++| Is device control enabled? | Default behavior | Device types | +|||| +| No | Access is allowed | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices | +| Yes | (Not specified) <br/>Access is allowed | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices | +| Yes | Deny | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices | +| Yes | Deny removable media devices and printers | - Printers and removable media devices (blocked) <br/>- CD/DVD drives and Windows portable devices (allowed) | ++When device types are configured, device control in Defender for Endpoint ignores requests to other device families. ++For more information, see the following articles: ++- [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md) +- [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md) ++## Policies ++To further refine access to devices, device control uses policies. A policy is a set of rules and groups. How rules and groups are defined varies slightly among management experiences and operating systems, as described in the following table. ++| Management tool | Operating system | How rules and groups are managed | +|||| +| Intune – Device control policy | Windows | Device and printer groups can be managed as reusable settings and included in rules. Not all features are available in the device control policy (see [Deploy and manage device control with Microsoft Intune](device-control-deploy-manage-intune.md)) | +| Intune – Custom | Windows | Each group/rule is stored as an XML string in custom configuration policy. The OMA-URI contains the GUID of the group/rule. The GUID must be generated. | +| Group Policy | Windows | The groups and rules are defined in separate XML settings in the Group Policy Object (see [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md)). | +| Intune | Mac | The rules and policies are combined into a single JSON and included in the `mobileconfig` file that is deployed by using Intune | +| JAMF | Mac | The rules and policies are combined into a single JSON and configured by using JAMF as the device control policy (see [Device Control for macOS](mac-device-control-overview.md)) | ++Rules and groups are identified by Global Unique ID (GUIDs). If device control policies are deployed using a management tool other than Intune, the GUIDs must be generated. You can generate the GUIDs by using [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). ++For schema details, see [JSON schema for Mac](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). ++## Rules ++A rule defines the list of included groups and a list of excluded groups. For the rule to apply, the device must be in all of the included groups and none of the excluded groups. If the device matches the rule, then the entries for that rule are evaluated. An entry defines the action and notification options applied, if the request matches the conditions. If no rules apply or no entries match the request then the default enforcement is applied. ++For example, to allow write access for some USB devices, and read access for all other USB devices, use the following policies, groups, and entries with default enforcement set to deny. ++| Group | Description | +||| +| All Removable Storage Devices | Removable Storage Devices | +| Writeable USBs | List of USBs where write access is permitted | ++|Rule | Included Device Groups | Excluded Device Groups | Entry | +||||| +| Read only access for USBs | All Removable storage devices | Writeable USBs | Read Only Access | +| Write access for USBs | Writeable USBs | | Write Access | ++The name of the rule appears in the portal for reporting and in the toast notification to users, so make sure to give the rules descriptive names. ++You can configure rules by editing policies in Intune, using an XML file in Windows, or using a JSON file on Mac. Select each tab for more details. ++### [**Intune**](#tab/Removable) ++The following image depicts configuration settings for a device control policy in Intune: +++In the screenshot, the Included ID and Excluded ID are the references to included and excluded reusable settings groups. A policy can have multiple rules. ++The ordering of the rules isn't honored by Intune. The rules can be evaluated in any order, so make sure to explicitly exclude groups of devices that aren't in scope for the rule. ++### [**XML (Windows)**](#tab/XML) ++The following code snippet shows the syntax for a device control policy rule in XML: ++```xml ++<PolicyRule Id="{75a4e33a-5268-4552-bef2-e34dd0c39cb1}"> + <Name>Read Only Access for USBs</Name> + <IncludedIdList> + <GroupId>{3f5253e4-0e73-4587-bb9e-bb29a2171694}</GroupId> + </IncludedIdList> + <ExcludedIdList> + <GroupId>{3f5253e4-0e73-4587-bb9e-bb29a2171695}</GroupId> + <ExcludedIdList> + <Entry Id="{e3837e60-5e56-43ce-8095-043ccd793eac}"> + … + </Entry> + <Entry Id="{34413b98-8198-4e16-accf-c95c3c775ba3}"> + … + </Entry> +</PolicyRule> ++``` ++The following table provides more context for the XML code snippet: ++| Property Name | Description | Options | +|||| +| `PolicyRule Id` | GUID, a unique ID, represents the policy and is used in reporting and troubleshooting. | You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). | +| `Name` | String, the name of the policy and displays on the toast based on the policy setting. | | +| `IncludedIdList` | The group(s) that the policy applies to. If multiple groups are added, the media must be a member of each group in the list to be included. | The Group ID/GUID must be used at this instance. <br/><br/>The following example shows the usage of GroupID: `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` | +| `ExcludedIDList` | The group(s) that the policy doesn't apply to. If multiple groups are added, the media must be a member of a group in the list to be excluded. | The Group ID/GUID must be used at this instance. | +| `Entry` | One PolicyRule can have multiple entries; each entry with a unique GUID tells device control one restriction. | See Entry properties table below to get details. | ++### [**JSON (Mac)**](#tab/JSON) ++The following code snippet shows the syntax for a device control policy rule in JSON for macOS: ++```json +{ + "id": "75a4e33a-5268-4552-bef2-e34dd0c39cb1", + "name": "Read Only Access for USBs", + "includeGroups": [ + "3f5253e4-0e73-4587-bb9e-bb29a2171694" + ], + "includedGroups":[ + "3f5253e4-0e73-4587-bb9e-bb29a2171695" + ] + "entries": [ + … + ] + } ++``` ++The following table provides more context for the XML code snippet: ++| Property name | Description | Options | +|||| +| `id` | GUID, a unique ID, represents the rule and is used in the policy. | `New-Guid (Microsoft.PowerShell.Utility) - PowerShell<br/>uuidgen` | +| `name` | String, the name of the policy and will display on the toast based on the policy setting. | | +| `includeGroups` | The group(s) that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The ID value inside the group must be used in this instance. If multiple groups are in the includeGroups, it's `AND`. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` | +| `excludeGroups` | The group(s) that the policy doesn't apply to. | The `id` value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's `OR`. | +| `entries` | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. | See entry properties table later in this article to get the details. | ++++## Entries ++Device control policies define access (called an entry) for a set of devices. Entries define the action and notification options for devices that match the policy and the conditions defined in the entry. ++| Entry setting | Options | +||| +| Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny | +| Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> File evidence is captured | ++If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied. ++An entry supports the following optional conditions: ++- Access Condition: Applies the action only to the access defined in the access mask +- User Condition: Applies the action only to the user/group identified by the SID +- Machine Condition: Applies the action only to the device/group identified by the SID +- Parameters Condition: Applies the action only if the parameters match (See Advanced Conditions) ++Entries can be further scoped to specific users and devices. For example, allow read access to these USBs for this user only on this device. ++| Policy | Included Device Groups | Excluded Device Groups | Entry(ies) | +||||| +| Read only access for USBs | All Removable storage devices | Writeable USBs | Read Only Access | +| Write access for USBs | Writeable USBs | | Write Access for User 1<br/><br/>Write Access for User 2 on Device Group A | ++All of the conditions in the entry must be true for the action to be applied. ++### Determine the Security ID of a User, Group, or Device ++Entries can include user, group, or device restrictions based on Security ID (SID). The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`. ++You can configure entries using Intune, an XML file in Windows, or a JSON file on Mac. Select each tab for more details. ++### [**Intune**](#tab/Removable) ++In Intune, the **Access mask** field has options, such as: ++- **Read** (Disk Level Read = 1) +- **Write** (Disk Level Write = 2) +- **Execute** (Disk Level Execute = 4) +- **Print** (Print = 64). ++Not all features are shown in the Intune user interface. For more information, see [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md). ++### [**XML (Windows)**](#tab/XML) ++The following code snippet shows the syntax for a device control entry in XML: ++```xml ++ <Entry Id="{e3837e60-5e56-43ce-8095-043ccd793eac}"> + <Type>Allow</Type> + <Options>0</Options> + <AccessMask>1</AccessMask> + </Entry> ++``` ++The following table provides more context for the XML code snippet: ++| Property name | Description | Option | +|||| +| `Entry Id` | GUID, a unique ID, represents the entry and is used in reporting and troubleshooting. | You can generate the GUID by using PowerShell. | +| `Type` | Defines the action for the removable storage groups in `IncludedIDList`. <br/>- `Allow` <br/>- `Deny` <br/>- `AuditAllowed`: Defines notification and event when access is allowed <br/>- `AuditDenied`: Defines notification and event when access is denied; works together with a `Deny` entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is `Allow` and `Deny`. | - `Allow` <br/>- `Deny` <br/>- `AuditAllowed` <br/>- `AuditDenied` | +| `Option` | If type is `Allow` | - `0`: nothing <br/>- `4`: disable `AuditAllowed` and `AuditDenied` for this entry. If `Allow` occurs and the `AuditAllowed` setting is configured, events aren't generated.<br/>- `8`: create a copy of the file as evidence, and generate a `RemovableStorageFileEvent` event. This setting must be used together with the **Set location for a copy of the file** setting in [Intune](device-control-deploy-manage-intune.md) or [Group Policy](device-control-deploy-manage-gpo.md). | +| `Option` | If type is `Deny` | - `0`: nothing <br/>- `4`: disable `AuditDenied` for this Entry. If Block occurs and the `AuditDenied` is setting configured, the system doesn't show notifications. | +| `Option` | If type is `AuditAllowed` | - `0`: nothing<br/>- `1`: nothing <br/>- `2`: send event | +| `Option` | If type is `AuditDenied` | - `0`: nothing <br/>- `1`: show notification <br/>- `2`: send event <br/>- `3`: show notification and send event | +| `AccessMask` | Defines the access | See the following section [Understand mask access](#understand-mask-access-windows) | +| `Sid` | Local user SID or user SID group, or the SID of the Microsoft Entra object or the Object ID. It defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the device. | SID | +| `ComputerSid` | Local computer SID or computer SID group, or the SID of the Microsoft Entra object or the Object Id. It defines whether to apply this policy over a specific device or device group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the device. If you want to apply an Entry to a specific user and specific device, add both SID and ComputerSID into the same Entry. | SID | +| `Parameters` | Condition for an entry, such as network condition. | Can add groups (non-device types) or even put parameters into parameters. For more information, see the [advanced conditions](#advanced-conditions) section (in this article). | ++#### Understand mask access (Windows) ++Device control applies an access mask to determine if the request matches the entry. The following actions are available on `CdRomDevices`, `RemovableMediaDevices`, and `WpdDevices`: ++| Access | Mask | +|--|--| +| Disk level read | 1 | +| Disk level write | 2 | +| Disk level execute | 4 | +| File system read | 8 | +| File system write | 16 | +| File system execute | 32 | ++The following actions are available on PrinterDevices: ++- Access: Print +- Mask: 64 ++You can have multiple access settings by performing a binary OR operation. Here's an example: ++- The AccessMask for Read and Write and Execute is 7 +- The AccessMask for Read and Write is 3 +++### [**JSON (Mac)**](#tab/JSON) ++The following code snippet shows the syntax for a device control entry in JSON for macOS: ++```json ++{ + "$type": "generic", + "id": "e3837e60-5e56-43ce-8095-043ccd793eac", + "enforcement": { + "$type": "allow" + }, + "access": [ + "generic_read" + ] +} ++``` ++The following table provides more context for the JSON code snippet: ++| Property name | Description | Options | +|||| +| `id` | GUID, a unique ID, represents the entry and is used in reporting and troubleshooting. | You can generate the ID by using PowerShell. | +| `enforcement $type` | Defines the action for the removable storage groups in `includedGroups`. <br/>- `allow` <br/>- `deny` <br/>- `auditAllow`: Defines notification and event when access is allowed <br/>- `AuditDeny`: Defines notification and event when access is denied; has to work together with the Deny entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is Allow and Deny. | The `enforcement $type` attribute can be one of the following values:<br/>- `allow`<br/>- `deny`<br/>- `auditAllow`<br/>- `auditDeny` | +| `enforcement $options` | If enforcement $type is allow | `disable_audit_allow`: If Allow occurs and the auditAllow is setting configured, the system doesn't send events. | +| `enforcement $options` | If enforcement $type is deny | `disable_audit_deny`: If Block happens and the auditDeny is setting configured, the system doesn't show notifications or send events. | +| `enforcement $options` | If enforcement $type is auditAllow | `send_event`: Sends telemetry | +| `enforcement $options` | If enforcement $type is auditDeny | <br/>- `send_event`: Sends telemetry <br/>- `show_notification`: Displays block message to user | +| `$type` | The type of entry. The type determines the operations that can be protected by device control | The `$type` attributes can be any of the following values:<br/>- `removableMedia`<br/>- `appleDevice`<br/>- `PortableDevice`<br/>- `bluetoothDevice` | +| `access` | A list of operations that this entry grants | See the next section, "Understand access on Mac" | ++#### Understand access (Mac) ++There are two kinds of access for an entry: generic and device type specific. ++- Generic access options include `generic_read`, `generic_write`, and `generic_execute`. +- Device type specific access provides a finer granularity of control, because the device type specific access values are included in the generic access types. ++The following table describes the device type specific access and how they map to the generic access types. ++| Device Type ($type) | Device Type Specific Access | Description | Read | Write | Execute | +||||||| +| `appleDevice` | `backup_device` | | X | | | +| `appleDevice` | `update_device` | | | X | | +| `appleDevice` | `download_photos_from_device` | download photo(s) from the specific iOS device to local device | X | | | +| `appleDevice` | `download_files_from_device` | download file(s) from the specific iOS device to local device | X | | | +| `appleDevice` | `sync_content_to_device` | sync content from local device to specific iOS device | | X | | +| `portableDevice` | `download_files_from_device` | X | | | +| `portableDevice` | `send_files_to_device` | | | X | | +| `portableDevice` | `download_photos_from_device` | | X | | | +| `portableDevice` | `debug` | ADB tool control | | | X | +| `removableMedia` | `read` | | X | | | +| `removableMedia` | `write` | | | X | | +| `removableMedia` | `execute` | | | | X | +| `bluetoothDevice` | `download_files_from_device` | | X | | | +| `bluetoothDevice` | `send_files_to_device` | | | X | | ++++## Groups ++Groups define criteria for filtering objects by their properties. The object is assigned to the group if its properties match the properties defined for the group. ++For example: ++- Allowed USBs are all the devices that match any of these manufacturers +- Lost USBs are all the devices that match any of these serial numbers +- Allowed printers are all the devices that match any of these VID/PID ++The properties can be matched in four ways: `MatchAll`, `MatchAny`, `MatchExcludeAll`, and `MatchExcludeAny` ++- `MatchAll`: The properties are an "And" relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, the system checks to see whether the USB meets both values. +- `MatchAny`: The properties are an "Or" relationship; for example, if administrator puts DeviceID and `InstancePathID`, for every connected USB, the system enforces as long as the USB has either an identical `DeviceID` or `InstanceID` value. +- `MatchExcludeAll`: The properties are an "And" relationship, any items that do NOT meet are covered. For example, if administrator puts `DeviceID` and `InstancePathID` and uses `MatchExcludeAll`, for every connected USB, system enforces as long as the USB doesn't have both identical `DeviceID` and `InstanceID` value. +- `MatchExcludeAny`: The properties are an "Or" relationship, any items that do NOT meet are covered. For example, if administrator puts `DeviceID` and `InstancePathID` and uses `MatchExcludeAny`, for every connected USB, system enforces as long as the USB doesn't have either an identical `DeviceID` or `InstanceID` value. ++Groups are used two ways: to select devices for inclusion/exclusion in rules, and to filter access for advanced conditions. This table summarizes the group types and how they're used. ++| Type | Description | O/S | Include/Exclude Rules | Advanced conditions | +|||||| +| Device (default) | Filter devices and printers | Windows/Mac | X | | +| Network | Filter network conditions | Windows | | X | +| VPN Connection | Filter VPN conditions | Windows | | X | +| File | Filter file properties | Windows | | X | +| Print Job | Filter properties of the file being printed | Windows | | X | ++The devices that are in scope for the policy determined by a list of included groups and a list of excluded groups. A rule applies if the device is in all of the included groups and none of the excluded groups. Groups can be composed from the properties of devices. The following properties can be used: ++| Property | Description | Windows devices | Mac devices | Printers | +|||||| +| `FriendlyNameId` | The friendly name in Windows Device Manager | Y | N | Y | +| `PrimaryId` | The type of the device | Y | Y | Y | +| `VID_PID` | Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. Wildcards are supported. For example, `0751_55E0` | Y | N | Y | +`PrinterConnectionId` | The type of printer connection: <br/>- USB<br/>- Corporate<br/>- Network<br/>- Universal<br/>- File<br/>- Custom<br/>- Local | N | N | Y | +| `BusId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N | +| `DeviceId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N | +| `HardwareId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N | +| `InstancePathId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N | +| `SerialNumberId` | Information about the device (for more information, see the sections that follow this table) | Y | Y | N | +| `PID` | Product ID is the four-digit product code that the vendor assigns to the device | Y | Y | N | +| `VID` | Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. | Y | Y | N | +| `APFS Encrypted` | If the device is APFS encrypted | N | Y | N | +++### Using Windows Device Manager to determine device properties ++For Windows devices, you can use Device Manager to understand the properties of devices. ++1. Open Device Manager, locate the device, right-click on **Properties**, and then select the **Details** tab. ++2. In the Property list, select **Device instance path**. ++ The value shown for device instance path is the `InstancePathId`, but it also contains other properties: ++ - `USB\VID_090C&PID_1000\FBH1111183300721` + - `{BusId}\{DeviceId}\{SerialNumberId}` ++ The properties in the device manager map to device control as shown in the following table: ++ | Device Manager | Device Control | + ||| + | Hardware Ids | `HardwareId` | + | Friendly name | `FriendlyNameId` | + | Parent | `VID_PID` | + | DeviceInstancePath | `InstancePathId` | +++### Using reports and advanced hunting to determine properties of devices ++Device properties have slightly different labels in advanced hunting. The table below maps the labels in the portal to the `propertyId` in a device control policy. ++| Microsoft Defender Portal property | Device control property Id | +||| +| Media name | `FriendlyNameId` | +| Vendor Id | `HardwareId` | +| DeviceId | `InstancePathId` | +| Serial Number | `SerialNumberId` | +++> [!NOTE] +> Make sure that the object selected has the correct Media Class for the policy. In general, for removable storage, use `Class Name == USB`. ++### Configure groups in Intune, XML in Windows, or JSON on Mac ++You can configure groups in Intune, by using an XML file for Windows, or by using a JSON file on Mac. Select each tab for more details. ++### [**Intune**](#tab/Removable) ++Reusable settings in Intune map to device groups. You can configure reusable settings in Intune. +++There are two types of groups: Printer Device and Removable Storage. The following table lists the properties for these groups. ++| Group type | Properties | +||| +| Printer device | - `FriendlyNameId`<br/>- `PrimaryId`<br/>- `PrinterConnectionId`<br/>- `VID_PID` | +| Removable storage | - `BusId` <br/>- `DeviceId`<br/>- `FriendlyNameId`<br/>- `HardwareId`<br/>- `InstancePathId`<br/>- `PID`<br/>- `PrimaryId`<br/>- `SerialNumberId`<br/>- `VID`<br/>- `VID_PID` | ++### [**XML (Windows)**](#tab/XML) ++The following XML snippet shows the syntax for matching groups: ++```xml ++<Group Id="{3f5253e4-0e73-4587-bb9e-bb29a2171694}"> + <MatchType>MatchAny</MatchType> + <DescriptorIdList> + … + </DescriptorIdList> +</Group> ++``` ++The following table describes properties for groups. ++| Property Name | Description | Options | +|||| +| `Group Id` | GUID, a unique ID, represents the group and to be used in the policy. | You can generate the ID through PowerShell. | +| `Type` | The type of the group | Device (Default) <br/><br/>The other types of groups (`File`, `VPNConnection`, `PrintJob`, `Network`) can be used for advanced conditions. The type for groups used with rules is `Device`, which is the default. | +| `MatchType` | The matching algorithm used | - `MatchAny`<br/>- `MatchAll`<br/>- `MatchExcludeAll`<br/>- `MatchExcludeAny` | +| `DescriptionIdList` | The list of properties evaluated for inclusion in the group | See [DescriptionIdList properties](#descriptionidlist-properties) (section after this table) | +++#### DescriptionIdList properties ++The properties described in the following table can be included in the `DescriptionIdList`: ++| Property | Description | +||| +| `PrimaryId` | Includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, and `PrinterDevices`.| +| `InstancePathId` | String that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It corresponds to the device instance path in Device Manager in Windows. The number at the end (for example `&0`) represents the available slot and might change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. | +| `DeviceId` | To transform Device instance path to Device ID format, use Standard USB Identifiers, such as this example: `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` | +| `HardwareId` | String that identifies the device in the system, like `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It corresponds to the hardware ID in Device Manager in Windows. Keep in mind that `HardwareId` isn't unique; different devices might share the same value. | +| `FriendlyNameId` | String attached to the device, like `Generic Flash Disk USB Device`. It's corresponds to the friendly name in Device Manager in Windows. | +| `BusId` | For example, `USB`, `SCSI` | +| `SerialNumberId` | You can find `SerialNumberId` from Device instance path in Device Manager in Windows. For example, `03003324080520232521` is `SerialNumberId` in `USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0` | +| `VID_PID` | - Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. <br/>- Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcards.<br/>- To transform Device instance path to Vendor ID and Product ID format, use Standard USB Identifiers. Here are some examples: <br/>`0751_55E0`: match this exact VID/PID pair <br/>`_55E0`: match any media with `PID=55E0` <br/>`0751_`: match any media with `VID=0751` | ++Here are some examples of device group definitions in the device control samples repository: ++- [Group of devices by Instance Path Id](https://github.com/microsoft/mdatp-devicecontrol/blob/c43f0ee80702f0a24f48b1d0f8302dd30a230586/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Approved%20USBs%20Group.xml#L2) +- [Group of devices by VID_PID](https://github.com/microsoft/mdatp-devicecontrol/blob/c43f0ee80702f0a24f48b1d0f8302dd30a230586/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unapproved%20USBs%20Group.xml#L2) +- [Group of devices by Primary Id](https://github.com/microsoft/mdatp-devicecontrol/blob/c43f0ee80702f0a24f48b1d0f8302dd30a230586/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml) ++### [**JSON (Mac)**](#tab/JSON) ++The following JSON snippet shows the syntax for defining groups on Mac: ++```json ++ { + "$type": "device", + "id": "3f5253e4-0e73-4587-bb9e-bb29a2171694", + "query": { + "$type": "or", + "clauses": [ + … + ] + } + } ++``` ++The following table describes properties for groups: ++| Property | Description | Options | +|||| +| `$type` | The kind of group | device | +| `id` | GUID, a unique ID, represents the group to be used in the policy. | You can generate the ID by using the Windows PowerShell [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) cmdlet or the `uuidgen` command on macOS | +| `name` | Friendly name for the group. | string | +| `query` | The media coverage under this group | See the query properties tables below for details. | ++The query supports all, and (same as all), any, or (same as any) types. This is the logic used to combine the properties in the clauses. ++The following values are supported as clauses: ++| Clause `$type` | Value | Description | +|||| +| `primaryId` | One of: <br/>- `apple_devices`<br/>- `removable_media_devices`<br/>- `portable_devices`<br/>- `bluetooth_devices` | +| `vendorId` | four-digit hexadecimal string | Matches a device's vendor ID | +| `productId` | four-digit hexadecimal string | Matches a device's product ID | +| `serialNumber` | string | Matches a device's serial number. Doesn't match if the device doesn't have a serial number. | +| `encryption` | apfs | Match if a device is apfs-encrypted. | +| `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against. The group must be defined within the policy prior to the clause. | ++Here's an example query: ++```JSON ++"query": { + "$type": "or", + "clauses": [ + { + "$type": "serialNumber", + "value": "FBH1111183300731" + } + ] + } ++``` ++Our example query can be edited to get behavior equivalent to the ExcludedMatchAll and ExcludedMatchAny by using the "not" type, as follows: ++```json ++"query": { + "$type":"not", + "query": { + "$type": "or", + "clauses": [ + { + "$type": "serialNumber", + "value": "FBH1111183300731" + } + ] + } ++} ++``` ++This query matches all devices that don't have the specified serial number. ++++## Advanced conditions ++Entries can be further restricted based on parameters. Parameters apply advanced conditions that go beyond the device. Advanced conditions allow for fine-grained control based on Network, VPN Connection, File or Print Job being evaluated. ++> [!NOTE] +> Advanced conditions are only supported in the XML format. ++### Network Conditions ++The following table describes network group properties: ++| Property | Description | +||| +| `NameId` | The name of the network. Wildcards are supported. | +| `NetworkCategoryId` | Valid options are `Public`, `Private`, or `DomainAuthenticated`. | +| `NetworkDomainId` | Valid options are `NonDomain`, `Domain`, `DomainAuthenticated`. | ++These properties are added to the DescriptorIdList of a group of type Network. Here's an example snippet: ++```xml ++<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30a}" Type="Network" MatchType="MatchAll"> + <DescriptorIdList> + <NetworkCategoryId>Public</PathId> + <NetworkDomainId>NonDomain</PathId> + </DescriptorIdList> +</Group> ++``` ++The group is then referenced as parameters in the entry, as illustrated in the following snippet: ++```xml ++ <Entry Id="{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}"> + <Type>Deny</Type> + <Options>0</Options> + <AccessMask>40</AccessMask> + <Parameters MatchType="MatchAll"> + <Network MatchType="MatchAny"> + <GroupId>{ e5f619a7-5c58-4927-90cd-75da2348a30a }</GroupId> + </Network> + </Parameters> + </Entry> ++``` ++### VPN Connection Conditions ++The following table describes VPN connection conditions: ++| Name | Description | +||| +| `NameId` | The name of the VPN Connection. Wildcards are supported. | +| `VPNConnectionStatusId` | Valid values are `Connected` or `Disconnected`. | +| `VPNServerAddressId` | The string value of `VPNServerAddress`. Wildcards are supported. | +| `VPNDnsSuffixId` | The string value of `VPNDnsSuffix`. Wildcards are supported. | ++These properties are added to the DescriptorIdList of a group of type VPNConnection, as shown in the following snippet: ++```xml ++ <Group Id="{d633d17d-d1d1-4c73-aa27-c545c343b6d7}" Type="VPNConnection"> + <Name>Corporate VPN</Name> + <MatchType>MatchAll</MatchType> + <DescriptorIdList> + <NameId>ContosoVPN</NameId> + <VPNServerAddressId>contosovpn.*.contoso.com</VPNServerAddressId> + <VPNDnsSuffixId>corp.contoso.com</VPNDnsSuffixId> + <VPNConnectionStatusId>Connected</VPNConnectionStatusId> + </DescriptorIdList> + </Group> ++``` ++Then the group is then referenced as parameters in an entry, as illustrated in the following snippet: ++```xml ++ <Entry Id="{27c79875-25d2-4765-aec2-cb2d1000613f}"> + <Type>Allow</Type> + <Options>0</Options> + <AccessMask>64</AccessMask> + <Parameters MatchType="MatchAny"> + <GroupId>{d633d17d-d1d1-4c73-aa27-c545c343b6d7}</GroupId> + </VPNConnection> + </Parameters> + </Entry> ++``` +++### File Conditions ++The following table describes file group properties: ++| Name | Description | +||| +| `PathId` | String, value of file path or name. <br/>Wildcards are supported. <br/>Only applicable for file type groups. | ++The following table illustrates how properties are added to the `DescriptorIdList` of a file group: ++```xml + +<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File" MatchType="MatchAny"> + <DescriptorIdList> + <PathId>*.exe</PathId> + <PathId>*.dll</PathId> + </DescriptorIdList> +</Group> ++``` ++The group is then referenced as parameters in an entry, as illustrated in the following snippet: ++```xml ++ <Entry Id="{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}"> + <Type>Deny</Type> + <Options>0</Options> + <AccessMask>40</AccessMask> + <Parameters MatchType="MatchAll"> + <File MatchType="MatchAny"> + <GroupId>{ e5f619a7-5c58-4927-90cd-75da2348a30f }</GroupId> + </File> + </Parameters> + </Entry> ++``` +++### Print Job Conditions ++The following table describes `PrintJob` group properties: ++| Name | Description | +||| +| `PrintOutputFileNameId` | The output destination file path for print to file. Wildcards are supported. For example, `C:\*\Test.pdf` | +| `PrintDocumentNameId` | The source file path. Wildcards are supported. This path might not exist. For example, add text to a new file in Notepad, and then print without saving the file. | ++These properties are added to the `DescriptorIdList` of a group of type `PrintJob`, as illustrated in the following snippet: ++```xml ++<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30b}" Type="PrintJob" MatchType="MatchAny"> + <DescriptorIdList> + <PrintOutputFileNameId>C:\Documents\*.pdf</PrintOutputFileNameId > + <PrintDocumentNameId>*.xlsx</PrintDocumentNameId> +<PrintDocumentNameId>*.docx</PrintDocumentNameId> + </DescriptorIdList> +</Group> ++``` ++The group is then referenced as parameters in an entry, as illustrated in the following snippet: ++```xml ++ <Entry Id="{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}"> + <Type>Deny</Type> + <Options>0</Options> + <AccessMask>40</AccessMask> + <Parameters MatchType="MatchAll"> + <PrintJob MatchType="MatchAny"> + <GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30b}</GroupId> + </PrintJob> + </Parameters> + </Entry> ++``` ++## File evidence ++With device control, you can store evidence of files that were copied to removablee devices or were printed. When file evidence is enabled, a `RemovableStorageFileEvent` is created. The behavior of file evidence is controlled by options on the Allow action, as described in the following table: ++| Option | Description | +||| +| `8` | Create a `RemovableStorageFileEvent` event with `FileEvidenceLocation` | +| `16` | Create a `RemovableStorageFileEvent` without `FileEvidenceLocation` | ++The `FileEvidenceLocation` field of has the location of the evidence file, if one is created. The evidence file has a name which ends in `.dup`, and its location is controlled by the `DataDuplicationFolder` setting. +++## Next steps ++- [View device control events and information in Microsoft Defender for Endpoint](device-control-report.md) +- [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](device-control-deploy-manage-intune.md) +- [Deploy and manage device control in Microsoft Defender for Endpoint using Group Policy](device-control-deploy-manage-gpo.md) +- [Device Control for macOS](mac-device-control-overview.md) |
security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | - Title: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media -description: A walk-through about Microsoft Defender for Endpoint ------- m365-security-- tier3-- mde-asr--- Previously updated : 04/25/2023----# Microsoft Defender for Endpoint Device Control Removable Storage Access Control --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](/microsoft-365/security/defender-business)--> [!NOTE] -> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806). --## Overview --Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage with or without exclusions. --|Privilege|Permission| -||| -|Access|Read, Write, Execute| -|Action Mode|Audit, Allow, Prevent| -|CSP Support|Yes| -|GPO Support|Yes| -|User-based Support|Yes| -|Machine-based Support|Yes| --### Prepare your endpoints --Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version **4.18.2103.3 or later**. --- **4.18.2104 or later**: Add `SerialNumberId`, `VID_PID`, filepath-based GPO support, and `ComputerSid`--- **4.18.2105 or later**: Add Wildcard support for `HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId`, the combination of specific user on specific machine, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support--- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add `AccountName` into [advanced hunting](device-control-removable-storage-access-control.md#view-data-in-microsoft-defender-for-endpoint)--- **4.18.2205 or later**: Expand the default enforcement to **Printer**. If you set it to **Deny**, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer--- **4.18.2207 or later**: Add **File** support, the common use case can be: block people from Read/Write/Execute access specific file on removable storage; add **Network** and **VPN Connection** support, the common use case can be: block people from access removable storage when the machine isn't connecting corporate network.---> [!NOTE] -> None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status. --## Device Control Removable Storage Access Control properties --The Removable Storage Access Control includes Removable storage group creation and access policy rule creation: --- Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group.-- Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.-- To block a specific removable storage class but allow specific media, you can use `IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId/HardwareId/etc.` For more information, see [Deploy Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri).--Here are the properties you can use when you create the group and policy XML files. --### Group --Group includes following types: --- Device: if there's an explicit type setting, this setting is the default, including removable storage and Printer.-- Network-- VPN Connection--The following table lists the properties you can use in **Group**: --|Property Name|Description|Options| -|||| -|**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).| -|**Type**|The type of the group. |**File** <p>**Device** <p> **Note**: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File". | -|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It's the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It's `Hardware Ids` in the Device Manager. <br>**Note**: Hardware ID isn't unique; different devices might share the same value.<p>**FriendlyNameId**: It's a string attached to the device, for example, `Generic Flash Disk USB Device`. It's the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **NameId**: The name of the Network or VPN Connection, support wildcard and only applicable for Network type or VPN Connection type Group. <p> **NetworkCategoryId**: only applicable for Network type Group and includes `Public`, `Private`, `DomainAuthenticated`. <p> **NetworkDomainId**: only applicable for Network type Group and includes `NonDomain`, `Domain`, `DomainAuthenticated`. <p> **VPNConnectionStatusId**: only applicable for VPN Connection type Group and includes `Connected`, `Disconnected`. <p> **VPNServerAddressId**: string, value of VPNServerAddress, support wildcard and only applicable for VPN Connection type Group. <p> **VPNDnsSuffixId**: string, value of VPNDnsSuffix, support wildcard and only applicable for VPN Connection type Group. <p> **PathId**: string, value of file path or name, support wildcard and only applicable for File type Group. <p> **Note**: See [How do I find the media property in the Device Manager?](device-control-removable-storage-access-control-faq.md#how-do-i-find-the-media-property-in-the-device-manager) to understand how to find the property in Device Manager.| -|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.| --### Access policy rule --Every access policy rule called **PolicyRule** can be used to define access restriction for each group through multiple **Entry**. --The following table lists the properties you can use in **PolicyRule**: --| Property Name | Description | Options | -|||| -| **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).| -| **Name** | String, the name of the policy and will display on the toast based on the policy setting. | | -| **IncludedIdList** | The group(s) that the policy will be applied to. If multiple groups are added, **the media must be a member of each group in the list** to be included.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` | -| **ExcludedIDList** | The group(s) that the policy won't be applied to. If multiple groups are added, **the media must be a member of a group in the list** to be excluded. | The Group ID/GUID must be used at this instance. | -| **Entry** | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See Entry properties table below to get details.| ---The following table lists the properties you can use in **Entry**: --| Property Name | Description | Options | -|||| -| **Entry Id** | GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).| -| **Type** | Defines the action for the removable storage groups in IncludedIDList. <p>Enforcement: Allow or Deny <p>Audit: AuditAllowed or AuditDenied<p> | Allow<p>Deny <p>AuditAllowed: Defines notification and event when access is allowed <p>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.<p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. | -| **Sid** | Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine. | | -| **ComputerSid** | Local computer Sid or computer Sid group or the Sid of the AD object or the Object Id of the Microsoft Entra object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | | -| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system won't send event. <p>8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system won't show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event | -|AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.| -|Parameters|Condition for this Entry, for example Network condition. | Can add groups (non Devices type) or even put Parameters into Parameters. See Parameters properties table below to get details.| --The following table lists the properties you can use in **Parameters**: --| Property Name | Description | Options | -|||| -|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.| -| **File** <p> **VPN Connection** <p> **Network** | You can use one or multiple File or Network or VPN Connection group(s) as parameter for this Entry, and then define MatchType for the relationship between those groups.| -| **Parameters** | You can embed Parameters inside Parameters with MatchType.| --For specific guidance, see: --| Article | Description | -||| -| [Deploying Removable Storage Access Control by using Group Policy](deploy-manage-removable-storage-group-policy.md) | Use Group Policy to deploy the policy.| -| [Deploying Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md) | Use Intune to deploy the policy.| --## View data in Microsoft Defender for Endpoint --The [Microsoft Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription: --- Microsoft 365 E5-- Microsoft Defender for Endpoint Plan 2- --If `AuditAllowed` or `AuditDenied` is configured in your policy and **Send event** is selected in **Options**, an event will be sent to Advanced hunting or the Device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in. --```kusto -//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement -DeviceEvents -| where ActionType == "RemovableStoragePolicyTriggered" -| extend parsed=parse_json(AdditionalFields) -| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) -| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) -| extend MediaBusType = tostring(parsed.BusType) -| extend MediaClassGuid = tostring(parsed.ClassGuid) -| extend MediaClassName = tostring(parsed.ClassName) -| extend MediaDeviceId = tostring(parsed.DeviceId) -| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) -| extend MediaName = tostring(parsed.MediaName) -| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) -| extend MediaProductId = tostring(parsed.ProductId) -| extend MediaVendorId = tostring(parsed.VendorId) -| extend MediaSerialNumber = tostring(parsed.SerialNumber) -|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize -| order by Timestamp desc -``` --```kusto -//information of the evidence file -DeviceEvents -| where ActionType contains "RemovableStorageFileEvent" -| extend parsed=parse_json(AdditionalFields) -| extend Policy = tostring(parsed.Policy) -| extend PolicyRuleId = tostring(parsed.PolicyRuleId) -| extend MediaClassName = tostring(parsed.ClassName) -| extend MediaInstanceId = tostring(parsed.InstanceId) -| extend MediaName = tostring(parsed.MediaName) -| extend MediaProductId = tostring(parsed.ProductId) -| extend MediaVendorId = tostring(parsed.VendorId) -| extend MediaSerialNumber = tostring(parsed.SerialNumber) -| extend FileInformationOperation = tostring(parsed.DuplicatedOperation) -| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) -| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields -| order by Timestamp desc -``` |
security | Device Control Removable Storage Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md | - Title: Microsoft Defender for Endpoint Device Control Removable Storage Protection -description: Understand capabilities that help prevent user or machine or both from using unauthorized removable storage media --- Previously updated : 08/22/2023---- m365-security-- tier3-- mde-asr-----# Microsoft Defender for Endpoint Device Control Removable Storage Protection ---**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](/microsoft-365/security/defender-business)---Device control removable storage protection in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media. --## Removable storage access control --**Capabilities** --- *Audit* Read or Write or Execute access to removable storage based on various device properties, with or without an exclusion.-- *Prevent* Read or Write or Execute access with or without an exclusion - Allow specific device based on various device properties.--To manage external storage, use removable storage access control instead of [device installation](#device-installation). --**Windows 10 and Windows 11 support details** --- Applied at either the device level, user level. or both. Only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.-- Support Intune OMA-URI and GPO.-- For Windows devices, see [Removable storage Access Control](device-control-removable-storage-access-control.md).--**Supported Platform** --- Windows 10, Windows 11--**macOS support details** --- Applied at the device level: the same policy applies for any logged on user.-- For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).--**Supported platform** --- macOS 11 (Big Sur) or later--## Device installation --**Capabilities** - Prevent installation with or without exclusion based on various device properties. --**Windows 10 and Windows 11 support details**: --- Applied at the device level: the same policy applies for any logged on user.-- Supports Microsoft Configuration Manager and Group Policy Objects.-- For more information on Windows, see [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md).--**Supported Platform** --- Windows 10, Windows 11--**macOS support details** --- Applied at the device level: the same policy applies for any logged on user-- For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).--**Supported platform** --- macOS 11 (Big Sur) or later--## Endpoint DLP Removable storage --**Capabilities** --- Audit, warn, or prevent a user from copying an item or information to removable media or USB device.--**Description** --- See [Learn about Endpoint data loss prevention](../../compliance/endpoint-dlp-learn-about.md).--**Supported Platform** --- Windows 10, Windows 11--## BitLocker --**Capabilities** --- Block data to be written to removable drives that aren't BitLocker protected.-- Block access to removable drives unless they were encrypted on a computer owned by your organization--**Description** --- See [BitLocker - Removable Drive Settings](/mem/intune/protect/endpoint-security-disk-encryption-profile-settings).--**Supported Platform** --- Windows 10, Windows 11-- |
security | Device Control Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md | Title: Protect your organization's data with device control + Title: View device control events and information in Microsoft Defender for Endpoint description: Monitor your organization's data security through device control reports. ms.localizationpriority: medium Previously updated : 06/26/2023 Last updated : 02/01/2024 - + audience: ITPro - m365-security-- tier3+- tier2 - mde-asr search.appverid: met150 -# Device control report +# View device control events and information in Microsoft Defender for Endpoint -Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. You can use device control events through: +Microsoft Defender for Endpoint device control helps protect your organization from potential data loss, malware, or other cyberthreats by allowing or preventing certain devices to be connected to users' computers. You can view information about device control events with advanced hunting or by using the device control report. -- **Advanced hunting**; and-- the **Device control report**. +To access the [Microsoft Defender portal](https://security.microsoft.com/advanced-hunting), your subscription must include Microsoft 365 for E5 reporting. -Select each tab to learn more about these methods. +Select each tab to learn more about advanced hunting and the device control report. ## [**Advanced hunting**](#tab/advhunt) - ## Advanced hunting **Applies to:** Select each tab to learn more about these methods. - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -The [Microsoft Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control and Printer Protection. To access the Microsoft Defender portal, you must have the following subscription: +When a device control policy is triggered, an event is visible with advanced hunting, regardless of whether it was initiated by the system or by the user who signed in. This section includes some example queries you can use in advanced hunting. -- Microsoft 365 for E5 reporting+### Example 1: Removable storage policy triggered by disk and file system level enforcement -- **RemovableStoragePolicyTriggered:** Shows the event triggered by Disk and file system level enforcement for both printer and removable storage when the `AuditAllowed` or `AuditDenied` is configured in your policy and **Send event** is selected in **Options**.-- **RemovableStorageFileEvent:** Shows the event triggered by the Evidence file feature for both printer and removable storage when **Options** 8 is configured in **Allow** Entry.+When a `RemovableStoragePolicyTriggered` action occurs, event information about the disk and file system level enforcement is available. -The event is sent to Advanced hunting or the device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in. +> [!TIP] +> Currently, in advanced hunting, there's a limit of 300 events per device per day for `RemovableStoragePolicyTriggered` events. Use the device control report to view additional data. ```kusto+ //RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement for both Printer and Removable storage based on your policy DeviceEvents | where ActionType == "RemovableStoragePolicyTriggered" DeviceEvents | extend MediaSerialNumber = tostring(parsed.SerialNumber) |project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize | order by Timestamp desc+ ``` +### Example 2: Removable storage file event ++When a RemovableStorageFileEvent action occurs, information about the evidence file is available for both printer protection and removable storage. Here's an example query you can use with advanced hunting: + ```kusto+ //information of the evidence file DeviceEvents | where ActionType contains "RemovableStorageFileEvent" DeviceEvents | extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) | project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields | order by Timestamp desc+ ``` ## [**Device control report**](#tab/report) DeviceEvents - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Business](/microsoft-365/security/defender-business) - With the device control report, you can view events that relate to media usage. Such events include: - **Audit events:** Shows the number of audit events that occur when external media is connected. There might be a delay of up to six hours from the time a media connection occur [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]++## See also ++- [Device control in Microsoft Defender for Endpoint](device-control-overview.md) +- [Device Control for macOS](mac-device-control-overview.md) |
security | Device Control Walkthroughs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-walkthroughs.md | + + Title: Device control walkthroughs +description: Learn how to work with device control in Defender for Endpoint. +++ Last updated : 01/29/2024++++audience: ITPro ++- m365-security +- tier2 +- mde-asr ++- partner-contribution ++search.appverid: MET150 +f1.keywords: NOCSH +++# Device control walkthroughs ++This article describes different ways to see how device control works. Beginning with default settings, each section describes how to configure device control to achieve certain objectives. ++## Explore the default state of device control ++By default, [device control](device-control-overview.md) is disabled and there are no restrictions on which devices can be added. The auditing of basic device control events is enabled for devices that are onboarded to Defender for Endpoint. This activity can be seen in the [device control report](device-control-report.md). Filtering on the built-in **PnP Audit Policy** shows devices that are connected to the endpoints in the environment. ++Device control in Defender for Endpoint identifies a device based on its properties. Device properties are visible by selecting an entry in the report. ++The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.mddata is also available in [advanced hunting](../defender/advanced-hunting-overview.md), by searching for the `Plug and Play Device Connected action` (`PnPDeviceConnected`), as shown in the following example query: ++```kusto ++DeviceEvents +| where ActionType == "PnpDeviceConnected" +| extend parsed=parse_json(AdditionalFields) +| extend MediaClass = tostring(parsed.ClassName) +| extend MediaDeviceId = tostring(parsed.DeviceId) +| extend MediaDescription = tostring(parsed.DeviceDescription) +| extend MediaSerialNumber = tostring(parsed.SerialNumber) +| project Timestamp, DeviceId, DeviceName, AccountName, AccountDomain, MediaClass, MediaDeviceId, MediaDescription, MediaSerialNumber, parsed +| order by Timestamp desc ++``` ++The status of device control (enabled/disabled, default enforcement, and last policy update) is available on a device via [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet: ++```powershell ++DeviceControlDefaultEnforcement : +DeviceControlPoliciesLastUpdated : 1/3/2024 12:51:56 PM +DeviceControlState : Disabled ++``` ++Change the device control state to be enabled* on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet: ++```powershell ++DeviceControlDefaultEnforcement : DefaultAllow +DeviceControlPoliciesLastUpdated : 1/4/2024 10:27:06 AM +DeviceControlState : Enabled ++``` ++In the test device, insert a USB drive. There are no restrictions; all types of access (read, write, execute, and print) are allowed. A record is created to show that a USB device was connected. You can use the following example advanced hunting query to see it: ++```kusto ++DeviceEvents +| where ActionType == "PnpDeviceConnected" +| extend parsed=parse_json(AdditionalFields) +| extend MediaClass = tostring(parsed.ClassName) +| extend MediaDeviceId = tostring(parsed.DeviceId) +| extend MediaDescription = tostring(parsed.DeviceDescription) +| extend MediaSerialNumber = tostring(parsed.SerialNumber) +| where MediaClass == "USB" +| project Timestamp, DeviceId, DeviceName, AccountName, AccountDomain, MediaClass, MediaDeviceId, MediaDescription, MediaSerialNumber, parsed +| order by Timestamp desc ++``` ++This example query filters the events by `MediaClass`. The default behavior can be changed to deny all devices, or to exclude families of devices from device control. Change the default behavior to deny, and then set device control only to apply to removable storage. ++For Intune, use a custom profile to set the device control settings, as follows: ++- Set `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` to `1` +- Set `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` to `2` +- Set `./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration` to `RemovableMediaDevices` ++Deploy your policy to the test device. Use [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to confirm that the default enforcement is set to Deny, as illustrated in the following snippet: ++```powershell ++DeviceControlDefaultEnforcement : DefaultDeny +DeviceControlPoliciesLastUpdated : 1/4/2024 10:27:06 AM +DeviceControlState : Enabled ++``` ++Remove, and reinsert the USB device in the test machine. Try to open the drive. The drive isn't accessible, and a message appears which indicates that access is denied. ++> [!NOTE] +> Samples and instructions and examples are available [here](https://github.com/microsoft/mdatp-devicecontrol/blob/main/README.md). ++## Step 1: Deny all removable media ++In order to customize the behavior, device control uses policies that are a combination of groups and rules. Start by deploying a policy that denies all access to all removable storage devices, and audits the event by sending a notification to the portal and the user. The following image summarizes these settings: +++For the purposes of controlling access, devices are organized into Groups. This policy uses a group called `All removable media devices`. Once this policy is deployed to the test device, reinsert the USB. A notification appears, indicating that device access is restricted. ++The event also appears within 15 minutes in advanced hunting. You can use the following example query to view the results: ++```kusto ++DeviceEvents +| where ActionType == "RemovableStoragePolicyTriggered" +| extend parsed=parse_json(AdditionalFields) +| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) +| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) +| extend MediaBusType = tostring(parsed.BusType) +| extend MediaClassGuid = tostring(parsed.ClassGuid) +| extend MediaClassName = tostring(parsed.ClassName) +| extend MediaDeviceId = tostring(parsed.DeviceId) +| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) +| extend MediaName = tostring(parsed.MediaName) +| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) +| extend MediaProductId = tostring(parsed.ProductId) +| extend MediaVendorId = tostring(parsed.VendorId) +| extend MediaSerialNumber = tostring(parsed.SerialNumber) +|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize +| order by Timestamp desc ++``` ++> [!NOTE] +> You can view up to 300 events per device per day with advanced hunting. +> ++Selecting the event to view information about the policy and the device. ++## Step 2: Allow access for authorized USB devices ++To grant access to set of authorized USBs devices, set up a group to identify those devices. We call our group `Authorized USBs`, and used the settings depicted in the following image: +++In our example, the authorized USBs group contains a single device identified by its `InstancePathId`. Before deploying the sample, you can change the value to the `InstancePathId` for a test device. See [Using Windows Device Manager to determine device properties](device-control-policies.md#using-windows-device-manager-to-determine-device-properties) and [Using reports and advanced hunting](device-control-policies.md#using-reports-and-advanced-hunting-to-determine-properties-of-devices) to determine properties of devices for details on how to find the correct value. ++Notice that the authorized USB group is excluded from the deny-all policy. This ensures that those devices are evaluated for the other policies. Policies aren't evaluated in order, so each policy should be correct if evaluated independently. Once the policy is deployed, reinsert the approved USB device. You should see that there's full access to the device. Insert another USB, and confirm that access is blocked for that device. ++Device control has lots of ways to group devices based on properties. For more information, see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.md). ++## Step 3: Allow different levels of access for different types of devices ++To create different behaviors for different devices, place them into separate groups. In our example, we use a group called `Read Only USBs`. The following image shows the settings we used: +++In our example, the Read Only USB group contains a single device identified by its `VID_PID`. Before deploying the sample, you can change the value of `VID_PID` to that of a second test device. ++Once the policy is deployed, insert an authorized USB. You should see that full access is allowed. Now insert the second test device (Read Only USB). You can access the device with read-only permissions. Attempt to create a new file, or make changes to a file, and you should see that device control blocks it. ++If you insert any other USB device, it should be blocked due to the "Deny all other USBs" policy. ++## Step 4: Allow different levels of access to devices for specific users or groups ++Device control allows you to further restrict access using conditions. The simplest condition is a user condition. In device control, users and groups are identified by their Security Identified (SID). ++The following screenshot shows the settings we used for our example: +++By default, the sample uses the Global SID of `S-1-1-0`. Before deploying the policy, you can change the SID associated with the authorized USBs (writeable USBs) to `User1` and change the SID associated with the Read Only USBs to `User2`. ++Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs. ++Device control also supports group SIDs. Change the SID in the read-only policy to a group that contains `User2`. Once the policy is redeployed, the rules are the same for User 2 or any other user in that group. ++> [!NOTE] +> For groups that are stored in Microsoft Entra, use the object id instead of the SID to identify groups of users. ++## Next steps ++- [Understand Device control policies](device-control-policies.md) +- [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md) +- [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md) +- [View device control reports](device-control-report.md) |
security | Enable Update Mdav To Latest Ws | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md | ms.pagetype: security ms.localizationpriority: high Previously updated : 02/16/2023 Last updated : 01/31/2024 audience: ITPro |
security | Mde Device Control Device Installation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md | - Title: Microsoft Defender for Endpoint Device Control Device Installation -description: This topic provides a walk through about Microsoft Defender for Endpoint Device Control Device Installation --ms.sitesec: library -ms.pagetype: security -- Previously updated : 10/18/2022---- m365-security-- tier3-- mde-asr-----# Microsoft Defender for Endpoint Device Control Device Installation --**Applies to** --- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)---> [!NOTE] -> If you want to manage removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control). --Microsoft Defender for Endpoint Device Control Device Installation enables you to do the following task: --- Prevent people from installing specific devices.-- Allow people to install specific devices but prevent other devices.--> [!NOTE] -> To find the difference between Device Installation and Removable storage access control, see [Microsoft Defender for Endpoint Device Control Removable Storage Protection](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true). --|Privilege|Permission| -|:|:| -|Access|Device installation | -|Action Mode|Allow, Prevent | -|CSP Support|Yes| -|GPO Support|Yes| -|User-based Support|No| -|Machine-based Support|Yes| --## Prepare your endpoints --Deploy Device Installation on Windows 10, Windows 11 devices, Windows Server 2022. --## Device properties --The following device properties are supported by Device Installation support: --- Device ID-- Hardware ID-- Compatible ID-- Device Class-- Removable device type: Some devices could be classified as a removable device. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.--For more information, see [Device Installation in Windows](/windows/client-management/manage-device-installation-with-group-policy). --## Policies --### Allow installation of devices that match any of these Device IDs --This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. --When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: --- Prevent installation of devices that match these device IDs.-- Prevent installation of devices that match any of these device instance IDs.--If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. --> [!NOTE] -> The **Prevent installation of devices not described by other policy settings** policy setting has been replaced by the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting for supported target Windows 10 versions and Windows 11. Use the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting when possible. --### Allow installation of devices that match any of these device instance IDs --This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. --When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: --- Prevent installation of devices that match any of these device instance IDs--If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. --### Allow installation of devices using drivers that match these device setup classes --This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled. --When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: --- Prevent installation of devices for these device classes-- Prevent installation of devices that match these device IDs-- Prevent installation of devices that match any of these device instance IDs--If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. --### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria --This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria are applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: --**Device instance IDs** \> **Device IDs** \> **Device setup class** \> **Removable devices** --#### Device instance IDs --1. Prevent installation of devices using drivers that match these device instance IDs. -2. Allow installation of devices using drivers that match these device instance IDs. --#### Device IDs --1. Prevent installation of devices using drivers that match these device IDs. -2. Allow installation of devices using drivers that match these device IDs. --#### Device setup class --1. Prevent installation of devices using drivers that match these device setup classes. -2. Allow installation of devices using drivers that match these device setup classes. --#### Removable devices --Prevent installation of removable devices --> [!NOTE] -> This policy setting provides more granular control than the **Prevent installation of devices not described by other policy settings** policy setting. If these conflicting policy settings are enabled at the same time, the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting will be enabled and the other policy setting will be ignored. --### Prevent installation of devices that match any of these device IDs --This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. --> [!NOTE] -> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. --If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. --If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. --### Prevent installation of devices that match any of these device instance IDs --This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. --If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. --If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. --### Prevent installation of devices using drivers that match these device setup classes --This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. --> [!NOTE] -> To enable the **Allow installation of devices that match any of these device IDs** and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. --If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. --If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. --### Prevent installation of removable devices --This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. --> [!NOTE] -> To enable the **Allow installation of devices using drivers that match these device setup classes**, **Allow installation of devices that match any of these device IDs**, and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. Also, the allow policy won't take precedence if the **Block Removable Storage** option is selected in Device Control. --If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. --If you disable or don't configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. --## Common Removable Storage Access Control scenarios --To help familiarize you with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow. --### Scenario 1: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive --For this scenario, following policies will be used: --- Prevent installation of devices using drivers that match these device setup classes.-- Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.-- Allow installation of devices that match any of these device instance IDs or Allow installation of devices that match any of these device IDs.--#### Deploying and managing policy via Intune --The Device installation feature allows you to apply policy through Intune to device. --#### Licensing --Before you get started with Device installation, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/en-in/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Device installation, you must have Microsoft 365 E3. --#### Permission --For Policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions: --- Policy and profile Manager role-- Or custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles-- Or Global admin--#### Deploying policy --In the Microsoft Intune admin center [https://endpoint.microsoft.com/](https://endpoint.microsoft.com/) --1. Configure **Prevent installation of devices using drivers that match these device setup classes**. -- Open **Endpoint security** > **Attack surface reduction** > **Create Policy** > **Platform: Windows 10 (and later) & Profile: Device control**. -- :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="The Edit profile page" lightbox="../../media/devicepolicy-editprofile.png"::: --2. Plug in a USB, device and you will see following error message: -- :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="The error message" lightbox="../../media/devicepolicy-errormsg.png"::: --3. Enable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria**. -- **only support OMA-URI for now**: **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 (and later) & Profile: Custom** -- :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="The Edit Row page" lightbox="../../media/devicepolicy-editrow.png"::: --4. Enable and add allowed USB Instance ID ΓÇô **Allow installation of devices that match any of these device IDs**. -- Update the Device control profile from step 1. -- :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="An identifier in the Device Control page" lightbox="../../media/devicepolicy-devicecontrol.png"::: -- We added `PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB` as shown in the preceding image because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You must ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change the view to **Devices by connections** to see the way devices are installed in the PnP tree. In this case, the following devices must allowed so the target USB thumb-drive could be allowed as well: -- - "Intel(R) USB 3.0 eXtensible Host Controller ΓÇô 1.0 (Microsoft)" -> PCI\CC_0C03 - - "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30 - - "Generic USB Hub" -> USB\USB20_HUB -- :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="The View menu item in the Device Manager page" lightbox="../../media/devicepolicy-devicemgr.png"::: -- > [!NOTE] - > Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic device IDs that are commonly used in systems and could provide a good start to build an "Allow list" in such cases. The following is one example (it is not always the same for all USBs; you need to understand the PnP tree of the device you want to manage through the Device Manager): - > - > `PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/` - > - > Specifically for desktop machines, it's important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. - > - > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. --5. Plug in the allowed USB again. You'll see that it's now allowed and available. -- :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="The Remove drive details page" lightbox="../../media/devicepolicy-removedrive.png"::: --#### Deploying and managing policy via Group Policy --The Device installation feature allows you to apply policy through Group Policy. --#### Deploying policy --See [Manage Device Installation with Group Policy (Windows 10) - Windows Client](/windows/client-management/manage-device-installation-with-group-policy). --## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint --The [Microsoft Defender portal](https://sip.security.microsoft.com/homepage) shows removable storage blocked by the Device Control Device Installation. --```kusto -//events triggered by Device Installation policies -DeviceEvents -| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" -| extend parsed=parse_json(AdditionalFields) -| extend MediaClassGuid = tostring(parsed.ClassGuid) -| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) -| extend MediaDeviceId = tostring(parsed.MatchingDeviceId) -| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields -| order by Timestamp desc -``` ---## Frequently asked questions --### How do I confirm that a device gets a deployed policy? --You can use following query to get antimalware client version on the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)): --```kusto -//check whether the Device installation policy has been deployed to the target machine, event only when modification happens -DeviceRegistryEvents -| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\" -| order by Timestamp desc -``` --## Why doesn't the Allow policy work? --It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well. - |
security | Microsoft Defender Antivirus Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md | All our updates contain - Improved processing of environment variables in protected folders list for [controlled folder access](controlled-folders.md) - Improved performance of [on-access scanning](configure-advanced-scan-types-microsoft-defender-antivirus.md) of files with Mark of the Web (MoTW)-- Added support for Active Directory device groups with [device control](device-control-removable-storage-protection.md)+- Added support for Active Directory device groups with [device control](device-control-overview.md) - Fixed an issue so that [ASROnlyPerRuleExclusions](/windows/client-management/mdm/defender-csp#configurationasronlyperruleexclusions) don't apply during an engine reboot - [Microsoft Defender Core service](microsoft-defender-antivirus-windows.md#microsoft-defender-core-service) is generally available for consumer devices and is coming soon for business customers. - Fixed an issue with device control so that device control policies remain enforced when a platform update requires a reboot-- Improved performance of [device control for printing scenarios](printer-protection.md)+- Improved performance of [device control for printing scenarios](device-control-policies.md) - Fixed truncation issue in the output of [MpCmdRun.exe -scan](command-line-arguments-microsoft-defender-antivirus.md) (processing Unicode characters) #### Known issues |
security | Migrate Devices Streamlined | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md | Title: Migrate devices to use the streamlined onboarding method description: Learn how to migrate devices to Defender for Endpoint using the streamlined connectivity method. search.appverid: met150 --++ ms.localizationpriority: medium audience: ITPro For macOS and Linux, you can use the following methods: ### MDATP connectivity test (macOS and Linux) -Run `mdatp health -details` to confirm simplified_connectivity: "enabled". +Run `mdatp health -details features ` to confirm simplified_connectivity: "enabled". Run `mdatp health -details edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenant's geo-location. |
security | Msda Updates Previous Versions Technical Upgrade Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md | Microsoft regularly releases [security intelligence updates and product updates - Excluded IP addresses can now be configured using [Intune](/windows/client-management/mdm/defender-csp#configurationexcludedipaddresses) - Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on Windows Server 2016 - [DisableFtpParsing](/windows/client-management/mdm/defender-csp#configurationdisableftpparsing) can now be configured through [Set-MpPreference](/powershell/module/defender/set-mppreference)-- Fixed an issue where [device control](device-control-removable-storage-protection.md) policies weren't applied correctly without a reboot following product updates+- Fixed an issue where [device control](device-control-overview.md) policies weren't applied correctly without a reboot following product updates - Fixed an issue in the attack surface reduction rule, [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros), configured in warn mode where excluded files were incorrectly blocked until the next device reboot ### Known issues Microsoft regularly releases [security intelligence updates and product updates - Fixed false positive triggering attack surface reduction detections - Added fix resulting in better fidelity of EDR and Advanced Hunting detection alerts - Defender no longer supports custom notifications on toast pop ups. Modified GPO/Intune/SCCM and docs to reflect this change.-- Improvements to capture both information and copy of files written to removable storage. To learn more, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md).+- Improvements to capture both information and copy of files written to removable storage. - Improved traffic output when SmartScreen service is unreachable - Connectivity improvements for customers using proxies with authentication requirements - Fixed VDI device update bug for network FileShares Microsoft regularly releases [security intelligence updates and product updates ### What's new - Improved CPU usage efficiency of certain intensive scenarios on Exchange servers-- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module. For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).+- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module. - Fixed bug in which `SharedSignatureRoot` value couldn't be removed when set with PowerShell - Fixed bug in which [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on - Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). |
security | Overview Attack Surface Reduction | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md | To configure attack surface reduction in your environment, follow these steps: 4. [Enable controlled folder access](enable-controlled-folders.md). -5. Enable [removable storage protection](device-control-removable-storage-protection.md) +5. Enable [removable storage protection](device-control-overview.md) 6. [Turn on network protection](enable-network-protection.md). |
security | Printer Protection Frequently Asked Questions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions.md | - Title: Printer Protection frequently asked questions -description: Answers frequently asked questions on MDE Printer Protection. ---ms.sitesec: library -ms.pagetype: security ------ m365-security-- tier3-- mde-asr-- Previously updated : 01/09/2023----# Printer Protection frequently asked questions --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--This article provides answers to frequently asked questions about device control printer protection capabilities in Microsoft Defender for Endpoint. --## How do I generate GUID for Group ID/PolicyRule ID/Entry ID? --You can generate the GUID through online open source or by using PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). ---## What are the removable storage media and policy limitations? --The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users. --## Why doesn't the policy work? --The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints). --Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update. --If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called `PolicyRules`. Also combine all Groups into one XML file within a parent node called `Groups`. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file. --The device (machine) should have a valid certificate. Run the following command on the machine to check: --`Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe` ---If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command: --`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles` --## Why is there no configuration UX for some policy groups? --There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.admx) files. --## How do I confirm that the latest policy has been deployed to the target machine? --You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine. ---## How can I know which machine is using out of date anti-malware client version in the organization? --You can use following query to get anti-malware client version on the Microsoft 365 security portal: --```kusto -//check the anti-malware client version -DeviceFileEvents -|where FileName == "MsMpEng.exe" -|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\" -|extend PlatformVersion=tostring(split(FolderPath, "\\", 5)) -//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion -|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion -|order by PlatformVersion desc -``` --## How do I find the media property in the Device Manager? --1. Plug in the media. --2. Open Device Manager. -- :::image type="content" source="media/screenshot-of-device-manager.png" alt-text="This is the screenshot of device manager." lightbox="media/screenshot-of-device-manager.png"::: --3. Locate the media in the Device Manager, right-click, and then select **Properties**. -- :::image type="content" source="media/locate-the-media.png" alt-text="This is the locate the media screenshot." lightbox="media/locate-the-media.png"::: --4. Open **Details**, and select **Properties**. -- :::image type="content" source="media/details.png" alt-text="This is details screenshot." lightbox="media/details.png"::: - - -<a name='how-do-i-find-sid-for-azure-ad-group'></a> --## How do I find Sid for Microsoft Entra group? --Different from AD group, the Sid is using Object ID for Microsoft Entra group. You can find the Object ID from Azure portal. ---- -## Why do I see duplicate events from RemovableStoragePolicyTriggered and PrintJobBlocked? --PrintJobBlocked is designed for [Printer Protection V1](printer-protection.md). Because the new Printer Protection solution is built based on the V1 solution, the system will still use PrintJobBlocked. If you are using the [new Printer Protection](printer-protection-overview.md), RemovableStoragePolicyTriggered is used to track the event. - |
security | Printer Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-overview.md | - Title: Printer Protection Overview -description: A walk-through about Microsoft Defender for Endpoint for Printer Protection ------- m365-security-- tier3-- mde-asr--- Previously updated : 10/25/2023----# Printer Protection Overview --**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--> [!NOTE] -> The Group Policy management and Intune OMA-URI/Custom Policy management of this product have been released. If you're currently using [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md), we recommend that you upgrade. --## Overview --Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions. --|Privilege|Permission| -||::| -|Access|Read, Write, Execute| -|Action Mode|Audit, Allow, Prevent| -|CSP Support|Yes| -|GPO Support|Yes| -|User-based Support|Yes| -|Machine-based Support|Yes| --### Prerequisites for preview --Ensure that the Windows devices that you need to onboard should meet the following requirements: --1. Install the right OS KB: - - Windows 10 and later (20H2, 21H1, 21H2, and later) - [KB5020030](https://support.microsoft.com/en-us/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2) - - Win 11 21H2 - [KB5019157](https://support.microsoft.com/en-us/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0) - - Win 11 22H2 - [KB5020044](https://support.microsoft.com/en-us/topic/november-29-2022-kb5020044-os-build-22621-900-preview-43f0bdf9-0b75-4110-bab3-3bd2433d84b3) -- Windows Server 2022 - [KB5020032](https://support.microsoft.com/en-us/topic/november-22-2022-kb5020032-os-build-20348-1311-preview-7ca1be57-3555-4377-9eb1-0e4d714d9c68)--2. MOCAMP:4.18.2205 or later, you can run the command `Get-MpComputerStatus` in PowerShell to check the version. ---### Device control printer protection properties --The printer protection comprises group and policy configurations: --- Group configuration allows you to create group. For example, authorized USB printer group or network location group.-- Policy configuration allows you to create policy to restrict each printer group. For example, only allow authorized users to Print access authorized printer group.--#### Group configuration --Group configuration includes the following types: --- Device-- Network-- VPN Connection-- PrintJob--The following table lists the properties you can use in **Group**: --|Property Name|Description|Options| -|||| -|Group ID|GUID, a unique ID, represents the group and to be used in the policy.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)| -|Name|String, the name of the policy and that displays on the toast based on the policy setting.| -|Type|The type of the group.|<ul><li>Device</li><li>Network</li><li>VPN Connection</li><li>PrintJob</li></ul> <p> **Note:** Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File".| -|DescriptorIdList|List the device properties you want to use to cover in the group. All properties are case sensitive.|When the Group type is Device, you can use the following attributes inside DescriptorIdList: <ul><li>PrimaryId: The Primary ID includes: <ul><li>RemovableMediaDevices</li><li>CdRomDevices</li><li>WpdDevices</li><li>PrinterDevices</li></ul></li><li>FriendlyNameId: A string that's attached to the device (the same string as the Friendly name in Device Manager). For example, `Generic Flash Disk USB Device`.</li><li>Device instance path (VID_PID): <ul><li>Vendor ID (VID): The four-digit vendor code that's assigned to the vendor by the USB committee.</li><li>Product ID (PID): The four-digit product code that's assigned to the device by the vendor. Wildcards are supported.</li></ul> <p> To transform the Device instance path to the VID_PID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <ul><li>`0751_55E0` matches that exact VID_PID pair value.</li><li>`_55E0` matches any device with the PID value 55E0.</li><li>`0751_` matches any device with the VID value 0751.</li></ul></li><li>PrinterConnectionId: Includes the following values: <ul><li>USB: A printer that's connected through USB port of a computer. You can use this value to enforce any USB printer. To define a specific USB printer, use the VID_PID.</li><li>Corporate: A print queue that's shared through a Windows print server in your on-premises domain. For example, `\print-server\contoso.com\legal_printer_001`.</li><li>Network: A printer that's accessible by network connection, making it usable by other computers that are connected to the network.</li><li>Universal: For more information about universal printers, see [Set up Universal Print](/universal-print/fundamentals/universal-print-getting-started).</li><li>File: Microsoft Print to PDF or Microsoft XPS Document Writer. To enforce Microsoft Print to PDF only, use the FriendlyNameId value 'Microsoft Print to PDF'.</li><li>Custom: A printer that doesn't connect through a Microsoft print port.</li><li>Local: A printer that connects through a Microsoft print port, but not any of the previously described types. For example, print through Remote Desktop or redirect printer.</li></ul> </li></ul> <p> **When the Group type is Network, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the Network. Wildcards are supported.</li><li>NetworkCategoryId: Public, Private, or DomainAuthenticated.</li><li>NetworkDomainId: NonDomain, Domain, or DomainAuthenticated.</li></ul> <p> **When the Group type is VPNConnection, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the VPN Connection. Wildcards are supported.</li><li>VPNConnectionStatusId: Connected or Disconnected.</li><li>VPNServerAddressId: The value of VPNServerAddress (string). Wildcards are supported.</li><li>VPNDnsSuffixId: The value of VPNDnsSuffix (string). Wildcards are supported.</li></ul> <p> **When the Group type is PrintJob, you can use the following attributes inside DescriptorIdList**: <ul><li>PrintOutputFileNameId: The output destination file path for print to file. Wildcards are supported. For example, `C:\*\Test.pdf`</li><li>PrintDocumentNameId: The source file path. Wildcards are supported. This path might not exist. For example, add text to a new file in Notepad, and then print without saving the file.</li></ul>| -|MatchType|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|<ul><li>**MatchAll**: Any attributes under the DescriptorIdList are an "And" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system checks to see whether the USB meets both values. </li><li>**MatchAny**: The attributes under the DescriptorIdList are an "Or" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, the system enforces as long as the USB has either an identical DeviceID or InstanceID value.</li><li>**MatchExcludeAll**: The attributes under the DescriptorIdList are an "And" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system enforces as long as the USB doesn't have both identical DeviceID and InstanceID value.</li><li>**MatchExcludeAny**: The attributes under the DescriptorIdList are an "Or" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system enforces as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>| --## Access policy rule --Every access policy rule called PolicyRule can be used to define access restriction for each Device type group through multiple entries. --The following table lists the properties you can use in **PolicyRule**: --|Property Name|Description|Options| -|||| -|PolicyRule ID|GUID, a unique ID, represents the policy and is used in reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)| -|Name|String, the name of the policy displays on the toast based on the policy setting and is captured in the reporting.| -|IncludedIdList|The group(s) that the policy is applied to. If multiple groups are added, the policy is applied to any media in all those groups.|The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1} <p> **Note**: You shouldn't add multiple groups inside IncludedIdList. Instead, add all groups into a new group and then add the new group inside IncludedIdList.| -|ExcludedIDList|The group(s) that the policy isn't applied to.|The Group ID/GUID must be used at this instance.| -|Entry|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.|See the entry properties table for more details.| --The following table lists the properties you can use in **Entry**: --|Property Name|Description|Options| -|||| -|PolicyRule ID|GUID, a unique ID, represents the policy and is used in the reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)| -|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or Deny</li><li>Audit: AuditAllowed or AuditDenied</li></ul>|<ul><li>Allow</li><li>Deny</li><li>AuditAllowed: Defines event when access is allowed</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry.</li></ul> <p> When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is **Allow** and **Deny**.| -|Sid|Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.| -|ComputerSid|Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry.| -|Options|Defines whether to display notifications or not|**When Type Allow is selected:** <ul><li>0: nothing</li><li>4: disable AuditAllowed and AuditDenied for this entry. Even if Allow happens and the AuditAllowed is setting configured, the system doesn't send events.</li><li>8: capture a copy of the file as evidence; and must be used together with the **Set location for a copy of the file** setting</li></ul> <p> **When Type Deny is selected:**<ul><li>0: nothing</li><li>4: disable AuditDenied for this entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notifications.</li></ul> <p> **When Type AuditAllowed is selected:** <ul><li>0: nothing</li><li>1: nothing</li><li>2: send events</li></ul> <p> **When Type AuditDenied is selected:** </ul><li>0: nothing</li><li>1: show notifications</li><li>2: send events</li><li>3: show notifications and send events</li></ul>| -|AccessMask|Defines the access.| <li>64: print</li> -|Parameters|Condition for this Entry, for example, network condition.|Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details.| --The table below lists the properties you can use in **Parameters**: --|Property Name|Description|Options| -|||| -|MatchType|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll:** <ul><li> Any attributes under the DescriptorIdList are an "And" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system checks to see whether the USB meets both values.</li></ul> <p> **MatchAny:** <ul></li>The attributes under the DescriptorIdList are an "Or" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system enforces as long as the USB has either an identical DeviceID or InstanceID value.</li></ul> <p> **MatchExcludeAll:** <ul><li>The attributes under the DescriptorIdList are an "And" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system enforces as long as the USB doesn't have both identical DeviceID and InstanceID value.</li></ul> <p> **MatchExcludeAny:** <ul><li>The attributes under the DescriptorIdList are an "Or" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system enforces as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>| -|PrintJob Network VPNConnection|The PrintJob or Network or VPNConnection group(s) created above.|Use the GroupId of the PrintJob or Network or VPNConnection group(s) created above.| -|Parameters|You can embed Parameters inside Parameters with MatchType.| --## Enduser experience --You can view the policy name and printer information if you have right options setting in your policy. - |
security | Printer Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md | - Title: Microsoft Defender for Endpoint Device Control Printer Protection -description: Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer. - Previously updated : 10/25/2023--------- m365-security-- tier3-- mde-asr----# Device Control Printer Protection --**Applies to** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)--> [!NOTE] -> If you want to manage printers, see [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md). --Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer. --## Licensing --Before you get started with Printer Protection, you should [confirm your Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1). To access and use Printer Protection, you must have the following: --- Microsoft 365 E3 for functionality/policy deployment-- Microsoft 365 E5 for reporting--## Permission --For Policy deployment in Intune, to deploy policy via OMA-URI, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions: --- Policy and profile Manager role.-- Or custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles-- Or Global admin--To see device configuration reports, the account must have view reports permissions. You can create custom roles or use the built-in roles with these permissions: --- Global security admin-- Security admin-- Security Reader--## Prepare your endpoints --Make sure that the Windows 10 or Windows 11 devices that you plan on deploying Printer Protection to meet these requirements. --1. The following Windows Updates are installed. - - For Windows 1809: install Windows Update [KB5003217](https://support.microsoft.com/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46) - - For Windows 1909: install Windows Update [KB5003212](https://support.microsoft.com/topic/may-20-2021-kb5003212-os-build-18363-1593-preview-05381524-8380-4b30-b783-e330cad3d4a1) - - For Windows 2004 or later --2. If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined; if you're planning to deploy policy via Microsoft Intune, the device must be joined by using Microsoft Intune. --## Deploy Device Control Printer Protection policy --You can deploy the policy via Group Policy or Intune. --|Title|Description|CSP Support | GPO Support | User-based Support | Machine-based Support | -|||::|::|::|::| -|**Enable Device control Printing Restrictions**|Block people from printing via non-corporate printer|Yes|Yes|Yes|Yes| -|**List of Approved USB-connected print devices**\*|Allow specific USB printer|Yes|Yes|Yes|Yes| --\* This policy must be used together with **Enable Device control Printing Restrictions**. --## Deploy policy via Intune --For Intune, currently Device Control Printer Protection supports OMA-URI only. --### Scenario 1: Block people from printing via any non-corporate printer using Intune --- Apply policy over machine:-- `./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl` --- Apply policy over user:-- `./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser` --The CSP support string with `<enabled/>`: ---### Scenario 2: Allow specific approved USB printers using Intune --- Apply policy over machine:-- `./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices` --- Apply policy over user:-- `./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser` --The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property. Example: `<enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>`: ---## Deploy policy via Group Policy --If the device isn't Intune joined, you can also deploy the policy via Group Policy. --### Scenario 1: Block people from printing via any non-corporate printer using Group Policy --- Apply policy over machine:-- Computer Configuration \> Administrative Templates \> Printer: Enable Device control Printing Restrictions --- Apply policy over user:-- User Configuration \> Administrative Templates \> Control Panel \> Printers: Enable Device control Printing Restrictions ---### Scenario 2: Allow specific approved USB printers using Group Policy --- Apply policy over machine:-- Computer Configuration \> Administrative Templates \> Printer: List of Approved USB-connected print devices --- Apply policy over user:-- User Configuration \> Administrative Templates \> Control Panel \> Printers: List of Approved USB-connected print devices ---## View Device Control Printer Protection data in Microsoft Defender for Endpoint portal --The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> shows printing blocked by the Device Control Printer Protection policy above. --```kusto -DeviceEvents -| where ActionType == 'PrintJobBlocked' -| extend parsed=parse_json(AdditionalFields) -| extend PrintedFile=tostring(parsed.JobOrDocumentName) -| extend PrintPortName=tostring(parsed.PortName) -| extend PrinterName=tostring(parsed.PrinterName) -| extend Policy=tostring(parsed.RestrictionReason) -| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName, Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields -| order by Timestamp desc -``` -- :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting" lightbox="../../media/device-control-advanced-hunting.png"::: -- You can use the PnP event to find the USB printer used in the organization: --```kusto -//find the USB Printer VID/PID -DeviceEvents -| where ActionType == "PnpDeviceConnected" -| extend parsed=parse_json(AdditionalFields) -| extend DeviceDescription = tostring(parsed.DeviceDescription) -| extend PrinterDeviceId = tostring(parsed.DeviceId) -| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&") -| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '') -| extend VID_PID = replace_string(VID_PID, 'PID_', '') -| extend ClassId = tostring(parsed.ClassId) -| extend VendorIds = tostring(parsed.VendorIds) -| where DeviceDescription == 'USB Printing Support' -| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed -| order by Timestamp desc -``` -- :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="The Advanced Hunting page" lightbox="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png"::: |
security | Validate Antimalware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/validate-antimalware.md | Title: AV detection test for verifying device's onboarding and reporting services description: AV detection test to verify the device's proper onboarding and reporting to the service. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium macOS ```bash-curl -o ~/Downloads/eicar.com.txt +curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt ``` 3. The file has been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats: |
security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on specific operating sy ## December 2022 - Microsoft Defender for Endpoint Device control removable storage access control updates:- 1. Microsoft Intune support for removable storage access control is now available. See [Deploy Removable Storage Access Control by using Intune user interface](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-user-interface) + 1. Microsoft Intune support for removable storage access control is now available. See [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md). 2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.- - Intune: *./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage Removable Storage Access Control using Intune](deploy-manage-removable-storage-intune.md) - - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage Removable Storage Access Control using group policy](deploy-manage-removable-storage-group-policy.md) + - Intune: *./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage device control using Intune](device-control-deploy-manage-intune.md) + - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md) -- Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see-[Printer Protection Overview](printer-protection-overview.md) +- Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see [Device control policies](device-control-policies.md). ## November 2022 |
security | Custom Detection Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md | In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) - [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md)+- [Microsoft Graph security API for custom detections](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections) + [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Custom Detections Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detections-overview.md | Custom detections provide: - [Create and manage custom detection rules](custom-detection-rules.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md)+- [Microsoft Graph security API for custom detections](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Get Started Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md | The readiness assessment has two parts: > [!IMPORTANT] > Defender Experts for XDR reviews your readiness assessment periodically, especially if there are any changes to your environment, such as the addition of new devices and identities. It's important that you regularly monitor and run the readiness assessment beyond the initial onboarding to ensure that your environment has strong security posture to reduce risk.+ After you complete all the required tasks and met the onboarding targets in your readiness assessment, your service delivery manager (SDM) initiates the monitoring phase of the Defender Experts for XDR service, where, for a few days, our experts start monitoring your environment closely to identify latent threats, sources of risk, and normal activity. As we get better understanding of your critical assets, we can streamline the service and fine-tune our responses. Once our experts begin to perform comprehensive response work on your behalf, youΓÇÖll start receiving [notifications about incidents](../defender/start-using-mdex-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also chat with our experts or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](../defender/start-using-mdex-xdr.md#understand-the-defender-experts-for-xdr-report) on the number of incidents weΓÇÖve investigated and resolved on your behalf. |
security | Manage Rbac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-rbac.md | Centralized permissions management is supported for the following solutions: |Microsoft Defender XDR|Centralized permissions management for Microsoft Defender XDR experiences.| |Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.| |Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.|-|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by Defender XDR RBAC, for experiences that were previously under Exchange Online RBAC.</li></ul>| +|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by experiences that were previously under Exchange Online RBAC.</li></ul>| |Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).| |Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.| |Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).| |
security | Microsoft 365 Security Center Defender Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud.md | You must be a global administrator or a security administrator in Azure Active D The following section describes the detection and investigation experience in Microsoft Defender XDR with Defender for Cloud alerts. +> [!NOTE] +> Informational alerts from Defender for Cloud are not integrated to Microsoft Defender XDR to allow focus on the relevant and high severity alerts. This strategy streamlines management of incidents and reduces alert fatigue. + > [!div class="mx-tdCol2BreakAl"] > |Area |Description | > |-|--| |
security | Criteria | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/criteria.md | Title: How Microsoft identifies malware and potentially unwanted applications-+ description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application. +keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications +ms.mktglfcycl: secure +ms.sitesec: library ms.localizationpriority: medium -Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You're also warned about software that is unknown to us. +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us. -You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). Submitting files for analysis helps ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) +You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification. Once enough data is gathered, Microsoft's security solutions can make a determin ## Malware -Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software*, *unwanted software*, or *tampering software*. +Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*. ### Malicious software -Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states. +Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states. Microsoft classifies most malicious software into one of the following categories: Microsoft classifies most malicious software into one of the following categorie * **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove. -* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a key logger, which collects and sends information about the keys you press and websites you visit. +* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. -* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [Learn more about ransomware](/security/ransomware/). +* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/ransomware/human-operated-ransomware). * **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. * **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device. -* **Trojan clicker:** A type of trojan that automatically selects buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device. +* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device. * **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate. Software that exhibits lack of choice might: * Falsely claim to be software from Microsoft. -Software must not mislead or coerce you into making decisions about your device. It's considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: +Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: * Display exaggerated claims about your device's health. Software that exhibits lack of control might: * Modify or manipulate webpage content without your consent. -Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered nonextensible and shouldn't be modified. +Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified. #### Installation and removal Advertisements shown to you must: Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions. -#### Tampering software --Tampering software encompasses a broad spectrum of tools and threats that directly or indirectly lower the overall level of security of devices. Examples of common tampering actions include: --* **Disabling or uninstalling security software**: Tools and threats that attempt to evade defense mechanisms by disabling or uninstalling security software, such as antivirus, EDR, or network protection systems. These actions leave the system vulnerable to further attacks. - -* **Abusing operating system features and settings**: Tools and threats that exploit features and settings within the operating system to compromise security. Examples include: -- - **Firewall abuse**: Attackers using firewall components to indirectly tamper with security software or block legitimate network connections, potentially enabling unauthorized access or data exfiltration. -- - **DNS manipulation**: Tampering with DNS settings to redirect traffic or block security updates, leaving the system exposed to malicious activities. -- - **Safe mode exploitation**: Leveraging the legitimate `Safe Mode` setting to put the device in a state where security solutions might be bypassed, allowing for unauthorized access or malware execution. --* **Manipulating system components**: Tools and threats that target critical system components, such as kernel drivers or system services, to compromise the overall security and stability of the device. - -* **Privilege escalation**: Techniques aimed at elevating user privileges to gain control over the system's resources and potentially manipulate security settings. - -* **Interfering with security updates**: Attempts to block or manipulate security updates, leaving the system vulnerable to known vulnerabilities. - -* **Disrupting critical services**: Actions that disrupt essential system services or processes, potentially causing system instability and opening the door for other attacks. - -* **Unauthorized registry changes**: Modifications to the Windows Registry or system settings that impact the security posture of the device. - -* **Tampering with boot processes**: Efforts to manipulate the boot process, which can result in the loading of malicious code during startup. - ## Potentially unwanted application (PUA) Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -*PUAs aren't considered malware.* +*PUAs are not considered malware.* Microsoft uses specific categories and the category definitions to classify software as a PUA. -* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. Such software includes software that inserts advertisements to webpages. +* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. * **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. * **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies. -* **Bundling software:** Software that offers to install other software that isn't developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. +* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. * **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. Microsoft uses specific categories and the category definitions to classify soft * **Poor industry reputation:** Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection. -## Vulnerable software --Vulnerable software is an application or code that has security flaws or weaknesses which can be exploited by attackers to perform various malicious and potentially destructive actions. These vulnerabilities may stem from unintentional coding errors or design flaws, and if exploited, can lead to harmful activities such as unauthorized access, privilege escalation, tampering, and more. --### Vulnerable drivers --Despite strict requirements and reviews imposed on code running in kernel, device drivers remain susceptible to various types of vulnerabilities and bugs. Examples include memory corruption and arbitrary read and write bugs, which can be exploited by attackers to execute more significant malicious and destructive actions -ΓÇô actions typically restricted in user mode. Terminating critical processes on a device is an example of such malicious action. |
security | Reports Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md | PowerShell reporting cmdlets: ||| |Top senders and recipients|[Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)| |Top malware|[Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)|-|Mail traffic|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <p> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)| +|Threat protection status|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <p> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)| |Safe Links|[Get-SafeLinksAggregateReport](/powershell/module/exchange/get-safelinksaggregatereport) <p> [Get-SafeLinksDetailReport](/powershell/module/exchange/get-safelinksdetailreport)| |Compromised users|[Get-CompromisedUserAggregateReport](/powershell/module/exchange/get-compromiseduseraggregatereport) <p> [Get-CompromisedUserDetailReport](/powershell/module/exchange/get-compromiseduserdetailreport)| |Mail flow status|[Get-MailflowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)| |
security | Submissions Admin Review User Reported Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md | Admins can mark messages and notify users of review results only if the user [re - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** role group.- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. + - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. - You need access to Exchange Online PowerShell. If your account doesn't have access to Exchange Online PowerShell, you get the following error: *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following articles: - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) |